CVE Catalog

CVE-2026-42824

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
7.64%

94th percentile - higher than 94% of all known CVEs

Summary

A command injection vulnerability in M365 Copilot allows an unauthorized attacker to disclose information over a network. The flaw is due to improper neutralization of special elements used in commands.

Risk Assessment

The organization risks confidential data leakage, which can be intercepted by an attacker without requiring any privileges.

Recommendation

Apply the security update provided by Microsoft for M365 Copilot immediately and restrict access to the service to trusted networks only.

Original NVD description (English source)

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS