cbcvebase.
CVE-2026-21256
published 2026-02-10

CVE-2026-21256: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to…

PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.10%
61.6th percentile
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.

Affected

5 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_visual_studio_2022_version_17.14>= 17.14.0 < 17.14.2617.14.26
microsoftmicrosoft_visual_studio_2026_version_18.3>= 18.3.0 < 18.3.018.3.0
microsoftvisual_studio_2022>= 17.14.0 < 17.14.2617.14.26
msrcmicrosoft_visual_studio_2022_version_17.14
msrcmicrosoft_visual_studio_2026_version_18.3

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-21256 is a prompt injection leading to RCE in GitHub Copilot / Visual Studio; monitor for anomalous command execution spawned from Copilot or Visual Studio processes following user interaction with Copilot prompts
  • Exploitation requires user interaction with Copilot (UI:R) but no prior network access (AV:N); alert on unexpected child processes or shell commands spawned by Visual Studio or Copilot backend components after a user engages with a Copilot prompt
  • ·No public exploit exists as of the advisory date; exploitation is rated 'Less Likely' by Microsoft, and there is no CISA KEV entry
  • ·Affected scope is GitHub Copilot and Visual Studio 2022; patches were added for Windows on Feb 11 and Feb 12, 2026 — ensure Visual Studio 2022 ≥ 17.14 or Visual Studio 2026 ≥ 18.3 is deployed
  • ·Customer action is required; the vulnerability is not self-remediating and requires manual update of affected Visual Studio / Copilot installations

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.