Description
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network.
Published: 2026-02-10
Score: 8.8 High
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from an improper neutralization of special elements used in a command, enabling command injection. An attacker can send a crafted payload that is executed on the target system, allowing bypass of an internal security feature over a network. The flaw represents a CWE‑77 weakness and can result in unauthorized execution of arbitrary code with the privileges of the running instance of Visual Studio Code or the Copilot Chat Extension.

Affected Systems

Microsoft Visual Studio Code and the Copilot Chat Extension for Visual Studio Code are affected. All installations of either component that are running a version deployed before the remediation are potentially vulnerable. No specific version numbers are listed in the advisory, and therefore all pre‑patch releases are considered at risk.

Risk and Exploitability

The CVSS score of 8.8 categorises the vulnerability as high severity, while the EPSS score of 1% indicates a low likelihood of widespread exploitation at present. The issue is not present in the CISA KEV catalogue. Attackers would likely target instances of Visual Studio Code that are reachable over the network, delivering a specially crafted request that trick the extension into executing a payload. The exact network-facing interface is not detailed in the advisory, so the attack vector is inferred from the description of a “network” bypass.

Generated by OpenCVE AI on June 18, 2026 at 05:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest security update for Visual Studio Code and the Copilot Chat Extension as soon as it is available.
  • If a patch cannot be applied immediately, remove or disable the Copilot Chat Extension to eliminate the vulnerable code path.
  • Ensure that any command execution logic within the extension validates inputs and does not invoke shell commands with unsanitised user data; comply with CWE‑77 mitigation measures such as input sanitisation and safe function usage.

Generated by OpenCVE AI on June 18, 2026 at 05:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft visual Studio Code Copilot Chat Extension
CPEs cpe:2.3:a:microsoft:visual_studio_code_copilot_chat_extension:*:*:*:*:*:*:*:*
Vendors & Products Microsoft visual Studio Code Copilot Chat Extension

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Wed, 11 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:-:*:*

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network.
Title GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code Visual Studio Code Copilot Chat Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-11T21:25:51.574Z

Reserved: 2025-12-30T18:10:54.845Z

Link: CVE-2026-21518

cve-icon Vulnrichment

Updated: 2026-02-25T15:43:48.047Z

cve-icon NVD

Status : Modified

Published: 2026-02-10T18:16:34.263

Modified: 2026-06-17T10:18:46.180

Link: CVE-2026-21518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T05:15:16Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')