CVE-2026-41109 is a GitHub Copilot and Visual Studio Code security feature bypass vulnerability classified as an injection issue. Microsoft rates it as High severity with a CVSS v3.1 base score of 8.8 and temporal score of 7.7. The vector is network-based, low complexity, no privileges required, but user interaction is required. Microsoft says the issue has not been publicly disclosed or exploited, exploit code maturity is unproven, and customer action is required. The FAQ says exploitation requires convincing a user to open a maliciously crafted package file in Visual Studio. In enterprise environments, the main risk is to users who process untrusted package files, rather than to unauthenticated network services. Highlights: - CVSS scores: Base 8.8 - Temporal 7.7 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Security Feature Bypass; confidentiality, integrity, and availability impacts are HIGH. - Exploitation likelihood: Latest Software Release: Exploitation Less Likely; network vector with LOW attack complexity, NO privileges required, and UI required means phishing-style delivery is needed. - Severity for enterprise: High technical severity, but risk is driven by user interaction and handling of malicious package files; lower exposure than a no-interaction network exploit, but still relevant for developer workstations and environments that open untrusted packages. - Patch status: available Affected systems: - No products listed