Copilot CLI
by GitHub
Source repositories
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41109 | Hig | 0.57 | 8.8 | 0.01 | May 12, 2026 | Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network. | ||
| CVE-2026-45033 | Hig | 0.44 | 7.8 | 0.00 | May 13, 2026 | GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution… | ||
| CVE-2026-29783 | Hig | 0.44 | 7.8 | 0.00 | Mar 6, 2026 | The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository… | ||
| CVE-2026-23653 | Med | 0.37 | 5.7 | 0.01 | Apr 14, 2026 | Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an authorized attacker to disclose information over a network. | ||
| CVE-2026-21256 | 0.00 | — | 0.01 | Feb 10, 2026 | Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network. | |||
| CVE-2026-21516 | 0.00 | — | 0.01 | Feb 10, 2026 | Improper neutralization of special elements used in a command ('command injection') in Github Copilot allows an unauthorized attacker to execute code over a network. | |||
| CVE-2026-21523 | 0.00 | — | 0.01 | Feb 10, 2026 | Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network. | |||
| CVE-2025-64660 | 0.00 | — | 0.00 | Nov 20, 2025 | Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network. |
- risk 0.57cvss 8.8epss 0.01
Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.
- risk 0.44cvss 7.8epss 0.00
GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution…
- risk 0.44cvss 7.8epss 0.00
The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository…
- risk 0.37cvss 5.7epss 0.01
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an authorized attacker to disclose information over a network.
- CVE-2026-21256Feb 10, 2026risk 0.00cvss —epss 0.01
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.
- CVE-2026-21516Feb 10, 2026risk 0.00cvss —epss 0.01
Improper neutralization of special elements used in a command ('command injection') in Github Copilot allows an unauthorized attacker to execute code over a network.
- CVE-2026-21523Feb 10, 2026risk 0.00cvss —epss 0.01
Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network.
- CVE-2025-64660Nov 20, 2025risk 0.00cvss —epss 0.00
Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network.