CVE-2026-21256

Published Feb 10, 2026

Last updated a month ago

CVSS high 8.8

Overview

Description
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.
Source
secure@microsoft.com
NVD status
Analyzed
Products
visual_studio_2022

Risk scores

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

secure@microsoft.com
CWE-77
nvd@nist.gov
CWE-77

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an authorized attacker to elevate privileges over a network.CVE-2026-21257
  2. Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code locally.CVE-2025-62214
  3. Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.CVE-2025-55315
  4. Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally.CVE-2025-55240
  5. Inadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network.CVE-2025-55248

References

Sources include official advisories and independent security research.