Main Vulnerability Database Vulnerabilities #VU122622

#VU122622 Command Injection in Visual Studio Code - CVE-2026-21518

Published: February 10, 2026 / Updated: February 19, 2026

Vulnerability identifier: #VU122622

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-21518

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Visual Studio Code

Software vendor:
Microsoft

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation in GitHub Copilot and Visual Studio Code where workspace trust was not always demanded to start MCP servers. A remote attacker can pass specially crafted data to the application and execute arbitrary commands.

Remediation

Install updates from vendor's website.

External links

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21518
https://github.com/microsoft/vscode/security/advisories/GHSA-6xq8-9qf3-p6qv

#VU122622 Command Injection in Visual Studio Code - CVE-2026-21518

Description

Remediation

External links

Please verify you're human