Main Vulnerability Database Vulnerabilities #VU122622

Command Injection in Visual Studio Code - CVE-2026-21518

Published: February 10, 2026 / Updated: February 19, 2026

Vulnerability identifier: #VU122622

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-21518

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Microsoft

Affected software:
Visual Studio Code

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation in GitHub Copilot and Visual Studio Code where workspace trust was not always demanded to start MCP servers. A remote attacker can pass specially crafted data to the application and execute arbitrary commands.

How to mitigate CVE-2026-21518

Install updates from vendor's website.

Sources

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21518
https://github.com/microsoft/vscode/security/advisories/GHSA-6xq8-9qf3-p6qv

Command Injection in Visual Studio Code - CVE-2026-21518

Detailed vulnerability description

How to mitigate CVE-2026-21518

Sources

Please verify you're human