365 Copilot
by Microsoft
CVEs (14)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41090 | Cri | 0.60 | 9.3 | 0.00 | May 22, 2026 | Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network. | ||
| CVE-2026-33102 | Cri | 0.60 | 9.3 | 0.00 | Apr 23, 2026 | Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2025-62554 | Hig | 0.55 | 8.4 | 0.00 | Dec 9, 2025 | Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. | ||
| CVE-2026-42831 | Hig | 0.51 | 7.8 | 0.00 | May 12, 2026 | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | ||
| CVE-2026-26164 | Hig | 0.49 | 7.5 | 0.01 | May 7, 2026 | Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-26129 | Hig | 0.49 | 7.5 | 0.01 | May 7, 2026 | Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-42893 | Hig | 0.48 | 7.4 | 0.00 | May 12, 2026 | Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network. | ||
| CVE-2026-26133 | Hig | 0.46 | 7.1 | 0.00 | Mar 16, 2026 | AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-42824 | Med | 0.42 | 6.5 | 0.08 | Jun 4, 2026 | Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-42827 | Med | 0.42 | 6.5 | 0.01 | May 22, 2026 | Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-41614 | Med | 0.40 | 6.2 | 0.00 | May 12, 2026 | Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally. | ||
| CVE-2026-47645 | 0.00 | — | 0.00 | Jun 19, 2026 | Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network. | |||
| CVE-2026-54130 | 0.00 | — | 0.01 | Jun 18, 2026 | Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network. | |||
| CVE-2026-24299 | 0.00 | — | 0.01 | Mar 19, 2026 | Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. |
- risk 0.60cvss 9.3epss 0.00
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
- risk 0.60cvss 9.3epss 0.00
Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.
- risk 0.55cvss 8.4epss 0.00
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
- risk 0.51cvss 7.8epss 0.00
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
- risk 0.49cvss 7.5epss 0.01
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- risk 0.49cvss 7.5epss 0.01
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- risk 0.48cvss 7.4epss 0.00
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network.
- risk 0.46cvss 7.1epss 0.00
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.08
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- risk 0.40cvss 6.2epss 0.00
Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
- CVE-2026-47645Jun 19, 2026risk 0.00cvss —epss 0.00
Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-54130Jun 18, 2026risk 0.00cvss —epss 0.01
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- CVE-2026-24299Mar 19, 2026risk 0.00cvss —epss 0.01
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.