CVE-2025-26646 (High) detected in microsoft.build.tasks.core.17.11.4.nupkg

[mend-bolt-for-github]

CVE-2025-26646 - High Severity Vulnerability

Vulnerable Library - microsoft.build.tasks.core.17.11.4.nupkg

This package contains the Microsoft.Build.Tasks assembly which implements the commonly used tasks of MSBuild.

Library home page: https://api.nuget.org/packages/microsoft.build.tasks.core.17.11.4.nupkg

Path to dependency file: /build/_build.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/microsoft.build.tasks.core/17.11.4/microsoft.build.tasks.core.17.11.4.nupkg

Dependency Hierarchy:

• nuke.common.9.0.4.nupkg (Root Library)
  • nuke.projectmodel.9.0.4.nupkg
    • ❌ microsoft.build.tasks.core.17.11.4.nupkg (Vulnerable Library)

Found in base branch: main

Vulnerability Details

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.

Publish Date: 2025-05-13

URL: CVE-2025-26646

CVSS 3 Score Details (8.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4j7-5rxr-p4wc

Release Date: 2025-05-13

Fix Resolution: Microsoft.Build.Tasks.Core - 17.8.29

---

Step up your Open Source Security Game with Mend here