What is the CVSS score of CVE-2026-21256?

CVE-2026-21256 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Github are affected by CVE-2026-21256?

CVE-2026-21256 is a critical command injection vulnerability affecting GitHub Copilot and Visual Studio that allows remote code execution without authentication.. A patch is available.

How to fix or mitigate CVE-2026-21256?

Within 24 hours: Inventory all GitHub Copilot and Visual Studio installations across the organization and disable Copilot features until further notice. Within 7 days: Conduct incident response readiness drills and implement enhanced code review processes for any commits generated during the vulnerable period. Within 30 days: Establish a vendor communication protocol with GitHub and Microsoft for patch timelines, perform forensic analysis of development environments for potential compromise, and develop a phased re-enablement strategy pending patch availability.

Github CVE-2026-21256

HIGH

Command Injection (CWE-77)

2026-02-10 secure@microsoft.com

Github Command Injection AI / ML Visual Studio 2022

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

CVE Published

Feb 10, 2026 - 18:16 nvd

HIGH 8.8

DescriptionCVE.org

Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in GitHub Copilot and Visual Studio 2022 via command injection allows unauthenticated attackers to execute arbitrary code over the network with user interaction. The vulnerability stems from improper sanitization of special elements in commands, enabling attackers to break out of intended command contexts and inject malicious payloads. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious input with special characters

Exploit

User opens file in GitHub Copilot or Visual Studio

Execution

Command injection in code processing

Impact

Execute arbitrary code with user privileges

Access

Craft malicious input with special characters

Exploit

User opens file in GitHub Copilot or Visual Studio

Execution

Command injection in code processing

Impact

Execute arbitrary code with user privileges

Vulnerability AssessmentAI

Exploitation	GitHub Copilot extension or Visual Studio with Copilot enabled installed and active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker without authentication could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all GitHub Copilot and Visual Studio installations across the organization and disable Copilot features until further notice. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-21256 vulnerability details – vuln.today

Back

Github CVE-2026-21256

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code