Unrated severityNVD Advisory· Published Feb 10, 2026· Updated Apr 10, 2026
GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
CVE-2026-21518
Description
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network.
Affected products
4(expand)+ 1 more
- (no CPE)
- (no CPE)range: 1.0.0
- Range: 0.27.0
Patches
Vulnerability mechanics
References
1- msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21518mitrevendor-advisorypatch
News mentions
1- ZDI-26-253: Microsoft Visual Studio Code mcp.json Command Injection Remote Code Execution VulnerabilityZero Day Initiative · Apr 2, 2026