CVE-2026-21518: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio
Summary
CVE-2026-21518 is a command injection vulnerability (a flaw where attackers can insert malicious commands into user input) in GitHub Copilot and Visual Studio Code that allows an unauthorized attacker to bypass security features over a network. The vulnerability stems from improper handling of special characters in commands. No CVSS severity score (a 0-10 rating of how serious a vulnerability is) has been assigned yet by NIST.
Vulnerability Details
6.5(medium)
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne
CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-21518
First tracked: February 15, 2026 at 08:51 PM
Classified by LLM (prompt v3) · confidence: 85%