Command injection in Visual Studio Code - CVE-2026-50520
Published: July 17, 2026
Visual Studio Code
Detailed vulnerability description
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to command injection in Visual Studio Code when executing commands with improper neutralization of special elements. A local attacker can inject crafted command elements to execute arbitrary code.
Exploitation requires code to be executed from the local machine.