Medium severity6.5NVD Advisory· Published Mar 19, 2026· Updated Apr 1, 2026
CVE-2026-26136
CVE-2026-26136
Description
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to disclose information over a network.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26136nvdVendor Advisory
News mentions
19- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026
- Microsoft’s WinUI agent plugin trims token use by over 70% during developmentHelp Net Security · May 14, 2026
- Microsoft turns Copilot Studio into an AI agent control centerHelp Net Security · May 14, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- Microsoft May 2026 Patch Tuesday, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026
- Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)Tenable Blog · May 12, 2026
- Zero Chaos: Scaling Detection Engineering at the Speed of Software, with Detection As CodeRapid7 Blog · May 8, 2026
- Anthropic response to 1-click pwn: Shouldn't have clicked 'ok'The Register Security · May 7, 2026
- 'TrustFall' Convention Exposes Claude Code Execution RiskDark Reading · May 7, 2026
- ServiceNow clears agents for landing with new AI control towerThe Register Security · May 5, 2026
- Security for AI: A strategic framework for closing the AI exposure gapTenable Blog · May 4, 2026
- Lens Agents brings policy control to AI across cloud and desktopHelp Net Security · May 4, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)Wordfence Blog · Apr 30, 2026
- Mastering agentic AI security through exposure managementTenable Blog · Apr 29, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)Wordfence Blog · Apr 16, 2026
- Patch Tuesday - April 2026Rapid7 Blog · Apr 14, 2026
- AI Threat Landscape Digest January-February 2026Check Point Research · Mar 29, 2026
- How AI Assistants are Moving the Security GoalpostsKrebs on Security · Mar 8, 2026
- Risky Business #826 -- A week of AI mishaps and skulduggeryRisky Business · Feb 25, 2026