Overview
- OX Security detailed CVE-2025-65717 in Live Server (CVSS 9.1), enabling local file exfiltration via a malicious webpage that targets the localhost:5500 development server.
- CVE-2025-65716 in Markdown Preview Enhanced allows arbitrary JavaScript from crafted Markdown files to interact with localhost for port enumeration and data theft.
- CVE-2025-65715 in Code Runner permits remote code execution by coercing users to modify the global settings.json through phishing or social engineering.
- A one-click XSS in Microsoft Live Preview was quietly fixed in version 0.4.16 in September 2025 without a CVE after enabling access to sensitive local files.
- OX Security says maintainers did not respond to months of disclosures, notes the same risks extend to Cursor and Windsurf, and urges removing nonessential extensions, avoiding untrusted HTML or active localhost servers, and never pasting unverified settings snippets.