{"data":{"id":"d5c9bd40-bd46-491c-ad0f-fbcec131b613","title":"CVE-2026-41109: Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and","summary":"CVE-2026-41109 is a security flaw in GitHub Copilot and Visual Studio that allows an attacker to bypass a security feature by improperly handling special characters in output, which are then processed by another component (injection, where untrusted data is inserted into code or commands). The vulnerability can be exploited over a network by unauthorized attackers.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-41109","publishedAt":"2026-05-12T18:17:22.210Z","cveId":"CVE-2026-41109","cweIds":["CWE-74"],"cvssScore":"8.8","cvssSeverity":"high","severity":"high","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["Microsoft"],"affectedVendorsRaw":["GitHub Copilot","Visual Studio"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-12T18:17:22.210Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}