Vibe Coding
CVE-2026-21518: VS Code mcp.json Command Injection Enables Remote Code Execution via Malicious Projects
Microsoft patched CVE-2026-21518, a command injection vulnerability in how Visual Studio Code and GitHub Copilot process mcp.json configuration files. The flaw stems from insufficient validation of user-supplied strings before system call execution. Opening a malicious project triggers arbitrary code execution in the current user's context. No privileges required — only user interaction (opening a project). This is the first CVE targeting MCP configuration files as an attack vector in a major editor.
Source
↳ Follow the thread