CVE-2026-23653

MEDIUM

GitHub Copilot and Visual Studio Code Information Disclosure Vulnerability

Title source: cna

Description

Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an authorized attacker to disclose information over a network.

References (1)

[Vendor Advisory] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23653

Scores

CVSS v3 5.7

EPSS 0.0008

EPSS Percentile 24.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-77

Status published

Products (1)

Microsoft/Microsoft Visual Studio Code CoPilot Chat Extension 0.27.0 - 0.37.3

Published Apr 14, 2026

Tracked Since Apr 14, 2026