{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21516", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-30T18:10:54.845Z", "datePublished": "2026-02-10T17:51:35.340Z", "dateUpdated": "2026-05-11T21:25:36.124Z"}, "containers": {"cna": {"title": "GitHub Copilot for Jetbrains Remote Code Execution Vulnerability", "datePublic": "2026-02-10T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:gihub_copilot_plugin_for_jetbrains_ides:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.5.63"}]}]}], "affected": [{"vendor": "Microsoft", "product": "GitHub Copilot Plugin for JetBrains IDEs", "versions": [{"version": "1.0.0", "lessThan": "1.5.63", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper neutralization of special elements used in a command ('command injection') in Github Copilot allows an unauthorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en-US", "type": "CWE", "cweId": "CWE-77"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:36.124Z"}, "references": [{"name": "GitHub Copilot for Jetbrains Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21516"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21516", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:55:52.936237Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:44.135Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21516", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:55:52.936237Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T15:43:08.242Z"}}], "cna": {"title": "GitHub Copilot for Jetbrains Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "GitHub Copilot Plugin for JetBrains IDEs", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.5.63", "versionType": "custom"}]}], "datePublic": "2026-02-10T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21516", "name": "GitHub Copilot for Jetbrains Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper neutralization of special elements used in a command ('command injection') in Github Copilot allows an unauthorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:gihub_copilot_plugin_for_jetbrains_ides:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.5.63", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T18:10:15.285Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21516", "state": "PUBLISHED", "dateUpdated": "2026-05-11T18:10:15.285Z", "dateReserved": "2025-12-30T18:10:54.845Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-02-10T17:51:35.340Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:github_copilot:*:*:*:*:*:jetbrains:*:*", "matchCriteriaId": "13150737-5808-4F8A-B181-86C3AA6A1ACA", "versionEndExcluding": "1.5.63-243", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in a command ('command injection') in Github Copilot allows an unauthorized attacker to execute code over a network."}], "id": "CVE-2026-21516", "lastModified": "2026-02-11T21:40:45.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-10T18:16:33.960", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21516"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,1.5.63)"}}], "product": "gihub_copilot_plugin_for_jetbrains_ides", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-15T16:26:36.403879+00:00", "value": {"mitigation_remediation": ["Update the GitHub Copilot Plugin for JetBrains IDEs to the latest patched release.", "If a patch is unavailable, disable the plugin or restrict its use to trusted users until the fix is deployed.", "Monitor system logs and network traffic for signs of unexpected command execution or anomalous activity."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Microsoft GitHub Copilot Plugin for JetBrains IDEs is affected. No specific version information was provided in the advisory, so any installation of the plugin remains potentially vulnerable until a patch is applied.", "description_and_impact": "The vulnerability is a command injection flaw in the GitHub Copilot Plugin for JetBrains IDEs. Improper neutralization of special elements allows an attacker to inject system commands, resulting in remote code execution on the host system. This flaw would enable an adversary to execute arbitrary code with the privileges of the application user.", "risk_and_exploitability": "The CVSS score of 8.8 categorizes this flaw as high severity. Although the exploit probability score is low (<1%), the vulnerability is not yet listed in the CISA KEV catalog, meaning a known exploit is not publicly confirmed. The likely attack vector is an unauthorized attacker exploiting the plugin over a network connection to the IDE, which requires interaction with the plugin\u2019s command processing logic. Without a patch, the risk remains significant due to the potential for complete compromise of the host machine."}}}}, "created": "2026-02-10T21:33:43.663048+00:00", "updated": "2026-04-15T17:45:10.810107+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$gihub_copilot_plugin_for_jetbrains_ides"]}