Medium severity5.7NVD Advisory· Published Apr 14, 2026· Updated May 6, 2026
CVE-2026-23653
CVE-2026-23653
Description
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an authorized attacker to disclose information over a network.
Affected products
2- cpe:2.3:a:microsoft:github_copilot_chat:*:*:*:*:*:visual_studio_code:*:*Range: <0.37.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23653nvdVendor Advisory
News mentions
8- Kimsuky targets organizations with PebbleDash-based toolsSecurelist · May 14, 2026
- Official CheckMarx Jenkins package compromised with infostealerBleepingComputer · May 11, 2026
- TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03), (Mon, May 4th)SANS Internet Storm Center · May 4, 2026
- The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)Unit 42 · May 2, 2026
- PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal CredentialsThe Hacker News · Apr 30, 2026
- SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain AttackThe Hacker News · Apr 29, 2026
- Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 MalwareThe Hacker News · Apr 27, 2026
- DPRK Fake Job Scams Self-Propagate in 'Contagious Interview'Dark Reading · Apr 22, 2026