Microsoft Visual Studio Code Copilot Chat Extension vulnerabilities

CVE-2026-23653 [MEDIUM] CWE-77 CVE-2026-23653: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilo Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an authorized attacker to disclose information over a network.

CVE-2026-21518 [HIGH] CWE-77 CVE-2026-21518: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilo Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network.

CVE-2026-21523 [HIGH] CWE-367 CVE-2026-21523: Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an auth Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network.

CVE-2025-62222 [HIGH] CWE-20 CVE-2025-62222: Improper neutralization of special elements used in a command ('command injection') in Visual Studio Improper neutralization of special elements used in a command ('command injection') in Visual Studio Code CoPilot Chat Extension allows an unauthorized attacker to execute code over a network.

CVE-2025-62449 [MEDIUM] CWE-22 CVE-2025-62449: Improper limitation of a pathname to a restricted directory ('path traversal') in Visual Studio Code Improper limitation of a pathname to a restricted directory ('path traversal') in Visual Studio Code CoPilot Chat Extension allows an authorized attacker to bypass a security feature locally.

CVE-2025-21264 [HIGH] CWE-552 CVE-2025-21264: Files or directories accessible to external parties in Visual Studio Code allows an unauthorized att Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.