CVE-2026-21518

Published Feb 10, 2026

Last updated 16 days ago

CVSS high 8.8

Overview

Description
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network.
Source
secure@microsoft.com
NVD status
Modified
Products
visual_studio_code

Risk scores

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

secure@microsoft.com
CWE-77

Social media

Hype score
Not currently trending

  1. Top 5 Trending CVEs: 1 - CVE-2018-17144 2 - CVE-2025-29969 3 - CVE-2025-11730 4 - CVE-2026-21518 5 - CVE-2025-60021 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    23 Feb 2026

    133 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network.CVE-2026-21523
  2. Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature over a network.CVE-2025-64660
  3. Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally.CVE-2025-62453
  4. Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network.CVE-2025-55319
  5. Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.CVE-2025-21264

References

Sources include official advisories and independent security research.