Primary

Context

Microsoft GitHub Copilot and Visual Studio Code Command Injection Vulnerability Allowing Information Disclosure

Vulnerability

A command injection vulnerability has been identified in GitHub Copilot and Visual Studio Code. This issue allows an authorized attacker to disclose information over a network by improperly neutralizing special elements used in commands. Specifically, the vulnerability could be exploited to reveal contents of the Model Context Protocol (MCP) when using Copilot.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure, specifically the contents of the Model Context Protocol (MCP) when using Copilot.

Remediation

Users are advised to update to the latest version of the Microsoft Visual Studio Code Copilot Chat Extension. The security update can be downloaded from the Visual Studio Code website.

Added: Apr 14, 2026, 11:03 PM

Updated: Apr 14, 2026, 11:03 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.0

remediation

0.0

relevance

5.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.0

remediation

0.0

relevance

5.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Microsoft GitHub Copilot and Visual Studio Code Command Injection Vulnerability Allowing Information Disclosure

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating