Fetching from the wire…
Public story · 2026-03-07 · source-backed
Copilot CLI through 0.0.422 is vulnerable to arbitrary code execution via bash parameter expansion. The safety check classifies commands as "read-only" based on visible text (e.g., echo), but shell operators (${var@P}, ${var=value}) execute hidden commands including reverse shells. Attacks inject via prompt injection through repo files or MCP server responses. CVSS High. Patched in 0.0.423. (PromptArmor)
Each link below shares sources, entities, or timing with this story.
Claude Code uses MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Claude Code uses MCP); both cover CVE, MCP; overlapping topics (attack, check, code, cvss).
Claude Code uses MCP / Shared entity: CVE / Shared topic / What happened next
Linked by a graph relationship (Claude Code uses MCP); both cover CVE; overlapping topics (arbitrary, attack, check, code, command).
Linked by a graph relationship (Claude Code uses MCP); both cover CVE; overlapping topics (arbitrary, attack, check, code, command).
OpenAI supports MCP / Shared entities / Shared topic / What happened next
Linked by a graph relationship (OpenAI supports MCP); both cover CVE, MCP; overlapping topics (attack, check).
Cursor uses MCP / Shared entities / Shared topic / What happened next
Linked by a graph relationship (Cursor uses MCP); both cover CVE, MCP; overlapping topics (code, command).
OX Security criticizes MCP / Shared entities / Shared topic / What happened next
Linked by a graph relationship (OX Security criticizes MCP); both cover CVE, MCP; overlapping topics (arbitrary, command).
Anthropic released MCP / Shared entities / Shared topic / Earlier coverage
Linked by a graph relationship (Anthropic released MCP); both cover CVE, MCP; overlapping topics (arbitrary, attack, command).
Claude uses MCP / Shared entity: CVE / Shared topic / What happened next / Tension
Linked by a graph relationship (Claude uses MCP); both cover CVE; overlapping topics (attack, code, command).