CVE Catalog
CVE-2026-42824
MediumCVSS 6.5Exploitation Probability (EPSS)
Very high risk7.64%
94th percentile - higher than 94% of all known CVEs
Summary
A command injection vulnerability in M365 Copilot allows an unauthorized attacker to disclose information over a network. The flaw is due to improper neutralization of special elements used in commands.
Risk Assessment
The organization risks confidential data leakage, which can be intercepted by an attacker without requiring any privileges.
Recommendation
Apply the security update provided by Microsoft for M365 Copilot immediately and restrict access to the service to trusted networks only.
Original NVD description (English source)
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

