Description
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an authorized attacker to elevate privileges over a network.
Published: 2026-02-10
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Elevation of Privilege
Action: Patch Now
AI Analysis

Impact

An attacker who already has legitimate access can exploit a command injection flaw in the integration between GitHub Copilot and Visual Studio. The flaw is caused by improper neutralization of special command elements, allowing the attacker to execute arbitrary commands with elevated privileges across a network. This can lead to unauthorized system access, data exposure, or further lateral movement within the organization.

Affected Systems

Microsoft Visual Studio 2022 version 17.14 and Microsoft Visual Studio 2026 version 18.3 are affected by the vulnerability. The issue arises in the environment that processes GitHub Copilot requests in these versions.

Risk and Exploitability

The vulnerability has a CVSS score of 8, indicating a high severity. The EPSS indicates less than 1% probability of exploitation at this time, and it is not listed in the CISA KEV catalog. The attack requires an authorized user within the development environment and likely demands authentication and the ability to invoke Copilot. Defense measures should consider the elevated privilege vector and the potential for command execution across the network.

Generated by OpenCVE AI on April 15, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied update that mitigates command injection in Visual Studio 2022 17.14 and Visual Studio 2026 18.3.
  • If a patch is not yet available, temporarily disable the GitHub Copilot extension in Visual Studio to eliminate the code path that can be exploited.
  • Review and enforce least‑privilege permissions for developers, restrict network‑level privilege escalation capabilities, and monitor for anomalous command execution.

Generated by OpenCVE AI on April 15, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft visual Studio 2026
CPEs cpe:2.3:a:microsoft:visual_studio_2026:*:*:*:*:*:*:*:*
Vendors & Products Microsoft visual Studio 2026

Thu, 26 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:-:*:*

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an authorized attacker to elevate privileges over a network.
Title GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft visual Studio 2022
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio 2022
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio 2022 Visual Studio 2026
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:24.638Z

Reserved: 2025-12-11T21:02:05.737Z

Link: CVE-2026-21257

cve-icon Vulnrichment

Updated: 2026-02-25T15:43:02.734Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:27.483

Modified: 2026-02-11T19:47:12.797

Link: CVE-2026-21257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses