Description
Improper neutralization of special elements used in a command ('command injection') in Github Copilot allows an unauthorized attacker to execute code over a network.
Published: 2026-02-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a command injection flaw in the GitHub Copilot Plugin for JetBrains IDEs. Improper neutralization of special elements allows an attacker to inject system commands, resulting in remote code execution on the host system. This flaw would enable an adversary to execute arbitrary code with the privileges of the application user.

Affected Systems

Microsoft GitHub Copilot Plugin for JetBrains IDEs is affected. No specific version information was provided in the advisory, so any installation of the plugin remains potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 8.8 categorizes this flaw as high severity. Although the exploit probability score is low (<1%), the vulnerability is not yet listed in the CISA KEV catalog, meaning a known exploit is not publicly confirmed. The likely attack vector is an unauthorized attacker exploiting the plugin over a network connection to the IDE, which requires interaction with the plugin’s command processing logic. Without a patch, the risk remains significant due to the potential for complete compromise of the host machine.

Generated by OpenCVE AI on April 15, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GitHub Copilot Plugin for JetBrains IDEs to the latest patched release.
  • If a patch is unavailable, disable the plugin or restrict its use to trusted users until the fix is deployed.
  • Monitor system logs and network traffic for signs of unexpected command execution or anomalous activity.

Generated by OpenCVE AI on April 15, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft github Copilot
CPEs cpe:2.3:a:microsoft:github_copilot:*:*:*:*:*:jetbrains:*:*
Vendors & Products Microsoft github Copilot

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in Github Copilot allows an unauthorized attacker to execute code over a network.
Title GitHub Copilot for Jetbrains Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft gihub Copilot Plugin For Jetbrains Ides
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:gihub_copilot_plugin_for_jetbrains_ides:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft gihub Copilot Plugin For Jetbrains Ides
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Gihub Copilot Plugin For Jetbrains Ides Github Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:22.513Z

Reserved: 2025-12-30T18:10:54.845Z

Link: CVE-2026-21516

cve-icon Vulnrichment

Updated: 2026-02-25T15:43:08.242Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:33.960

Modified: 2026-02-11T21:40:45.440

Link: CVE-2026-21516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses