121 CVEs

2 in CISA KEV

dotnet Vulnerabilities

CVE security advisories and vulnerability history for dotnet.

121

Total CVEs

Published

2

In CISA KEV

Exploited in the wild

8

Public exploits

With known exploit

7.4

Avg CVSS

2017–2026

Overview

dotnet has 121 published CVE records since 2017, of which 2 are in CISA's Known Exploited Vulnerabilities catalog and 8 have a known public exploit. The average CVSS base score across scored CVEs is 7.4.

This page aggregates every publicly disclosed vulnerability (CVE) affecting dotnet products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of dotnet's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical5

High64

Medium17

Low0

35 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

2

2 of dotnet's CVEs are confirmed exploited in the wild.

Public exploits

8

8 of dotnet's CVEs have a known public exploit available.

Most affected products

The dotnet products with the most published CVEs.

core88 CVEs
dotnet-sdk75 CVEs
.net75 CVEs
dotnet75 CVEs
visual studio 202262 CVEs
Microsoft Visual Studio 2022 version 17.646 CVEs
.NET 6.041 CVEs
Microsoft Visual Studio 2022 version 17.436 CVEs

Common weakness types

The CWE weakness categories most often found in dotnet CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish dotnet CVE records.

Disclosure activity by year

How many dotnet CVEs were published each year.

2019

13

2020

10

2021

12

2022

10

2023

25

2024

22

2025

12

2026

2

Latest dotnet CVEs

The most recently disclosed vulnerabilities affecting dotnet.

High vulnerability · 2026-03-19
CWE-400
High · CVSS 7.5
EPSS 6.6%2026-03-19
.NET Spoofing Vulnerability
CWE-166
High · CVSS 7.5
EPSS 0.0%2026-02-10
.NET, .NET Framework, and Visual Studio Information Disclosure Vulnerability
CWE-326
Medium · CVSS 4.8
EPSS 0.0%2025-10-14
ASP.NET Security Feature Bypass Vulnerability
CWE-444
Critical · CVSS 9.9
EPSS 1.7%2025-10-14
.NET Elevation of Privilege Vulnerability
CWE-59
High · CVSS 7.3
EPSS 0.0%2025-10-14
.NET and Visual Studio Remote Code Execution Vulnerability
CWE-426
High · CVSS 7.5
EPSS 0.3%2025-06-13
IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library
CWE-1395
Critical · CVSS 9.8
EPSS 0.5%2025-05-30
.NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability
CWE-73
High · CVSS 8.0
EPSS 0.1%2025-05-13
ASP.NET Core and Visual Studio Denial of Service Vulnerability
CWE-770
High · CVSS 7.5
EPSS 9.6%2025-04-08
ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability
CWE-1390
High · CVSS 7.0
EPSS 0.3%2025-03-11
.NET and Visual Studio Remote Code Execution Vulnerability
CWE-190
High · CVSS 7.5
EPSS 0.4%2025-01-14
.NET Elevation of Privilege Vulnerability
CWE-379
High · CVSS 7.3
EPSS 2.0%2025-01-14

Track new dotnet CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor dotnet CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

microsoft24,097 CVEs Linux19,131 CVEs google14,281 CVEs apple14,019 CVEs oracle10,440 CVEs debian10,201 CVEs IBM8,265 CVEs Adobe7,222 CVEs

Browse all vendors

Frequently asked questions

Common questions about dotnet vulnerabilities.

How many CVEs does dotnet have?

dotnet has 121 published CVE records since 2017, including 14 in the last two years.

How many dotnet CVEs are in CISA KEV?

Yes — 2 of dotnet's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which dotnet products have the most CVEs?

The dotnet products with the most published CVEs are core, dotnet-sdk, .net, dotnet, visual studio 2022.

What are the most common weakness types in dotnet CVEs?

dotnet's CVEs most often map to these CWE weakness types: CWE-400 (Uncontrolled Resource Consumption), CWE-20 (Improper Input Validation), CWE-416 (Use After Free), CWE-407 (Inefficient Algorithmic Complexity).

Are there public exploits for dotnet vulnerabilities?

Yes — 8 of dotnet's CVEs have a known public exploit.

How many critical dotnet vulnerabilities are there?

dotnet has 5 critical and 64 high-severity CVEs.

What is the average severity of dotnet CVEs?

The average CVSS base score across dotnet's scored CVEs is 7.4.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track dotnet vulnerabilities

Monitor new dotnet vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing