anonhaven
Ad

CVE-2026-26133

HIGH CVSS 3.1: 7.1 EPSS 0.05%
Updated Apr 09, 2026
Microsoft
Parameter Value
CVSS 7.1 (HIGH)
Affected Versions 1.0 — 8.3.1
Fixed In 2.106.26020617
Type CWE-77 (Command Injection)
Vendor Microsoft
Public PoC No

AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-77 Command Injection

Vulnerable Products 32

Configuration From (including) Up to (excluding)
Microsoft Onenote_For_Ios
cpe:2.3:a:microsoft:onenote_for_ios:*:*:*:*:*:*:*:*
 1.0.0 2.106.26020617
Microsoft Outlook
cpe:2.3:a:microsoft:outlook:*:*:*:*:*:macos:*:*
 1.0.0 5.2605
Microsoft Outlook_2016
cpe:2.3:a:microsoft:outlook_2016:*:*:*:*:*:android:*:*
 1.0 5.2605
Microsoft 365_Copilot_Ios
cpe:2.3:a:microsoft:365_copilot_iOS:*:*:*:*:*:*:*:*
 1.0 2.107.2
Microsoft Edge
cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*
 1.0.0 145.3800.99
Microsoft Teams
cpe:2.3:a:microsoft:teams:*:*:*:*:*:iphone_os:*:*
 2.0.0 8.3.1
Microsoft Teams
cpe:2.3:a:microsoft:teams:*:*:*:*:*:android:*:*
 1.0.0 1.0.0.2026043102
Microsoft Excel
cpe:2.3:a:microsoft:excel:*:*:*:*:*:android:*:*
 16.0.0.0 16.0.19822.20038
Microsoft Word
cpe:2.3:a:microsoft:word:*:*:*:*:*:android:*:*
 16.0.0.0 16.0.19822.20038
Microsoft Powerpoint
cpe:2.3:a:microsoft:powerpoint:*:*:iOS:*:*:*:*:*
 1.0 2.106.26020617
Microsoft Word
cpe:2.3:a:microsoft:word:*:*:iOS:*:*:*:*:*
 2.0.0 2.106.26020617
Microsoft Loop
cpe:2.3:a:microsoft:loop:*:*:iOS:*:*:*:*:*
 2.0.0 2.106.26020617
Microsoft Outlook
cpe:2.3:a:microsoft:outlook:*:*:*:*:*:iphone_os:*:*
 1.0.0 5.2605
Microsoft 365_Copilot_Android
cpe:2.3:a:microsoft:365_copilot_Android:*:*:*:*:*:*:*:*
 1.0 16.0.19815.10000
Microsoft Power_Bi_Android
cpe:2.3:a:microsoft:power_bi_android:*:*:*:*:*:*:*:*
 2.0.0 2.2.260210.21290750
Microsoft Power_Bi_Ios
cpe:2.3:a:microsoft:power_bi_iOS:*:*:*:*:*:*:*:*
 1.0.0 1.2.260302.2193910
Microsoft Onenote_For_Android
cpe:2.3:a:microsoft:onenote_for_android:*:*:*:*:*:*:*:*
 16.0.1 16.0.19725.20142
Microsoft Edge
cpe:2.3:a:microsoft:edge:*:*:*:*:*:iphone_os:*:*
 1.0.0.0 145.3800.99
Microsoft Powerpoint
cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:android:*:*
 16.0.0.0 16.0.19822.20038
Microsoft Excel
cpe:2.3:a:microsoft:excel:*:*:iOS:*:*:*:*:*
 1.0 2.106.26020617
Microsoft 365_Copilot
cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:iphone_os:*:*
 2.107.2
Microsoft 365_Copilot
cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:android:*:*
 16.0.19815.10000
Microsoft Excel
cpe:2.3:a:microsoft:excel:*:*:*:*:*:iphone_os:*:*
 2.106.2
Microsoft Loop
cpe:2.3:a:microsoft:loop:*:*:*:*:*:iphone_os:*:*
 2.106
Microsoft Onenote
cpe:2.3:a:microsoft:onenote:*:*:*:*:*:android:*:*
 16.0.19725.20142
Microsoft Onenote
cpe:2.3:a:microsoft:onenote:-:*:*:*:*:iphone_os:*:*
Microsoft Outlook
cpe:2.3:a:microsoft:outlook:*:*:*:*:*:android:*:*
 5.2605.0
Microsoft Outlook
cpe:2.3:a:microsoft:outlook:-:*:*:*:*:macos:*:*
Microsoft Power_Bi
cpe:2.3:a:microsoft:power_bi:*:*:*:*:*:android:*:*
 2.2.260210.21290750
Microsoft Power_Bi
cpe:2.3:a:microsoft:power_bi:-:*:*:*:*:iphone_os:*:*
Microsoft Powerpoint
cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:iphone_os:*:*
 2.106.2
Microsoft Word
cpe:2.3:a:microsoft:word:*:*:*:*:*:iphone_os:*:*
 2.106.2

References 1

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133
M365 Copilot Information Disclosure Vulnerability
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-6318

Linux

8.8

CVE-2026-6317

Linux

8.8

CVE-2026-6316

Linux

8.8

CVE-2026-6314

Linux

8.3

CVE-2026-6313

Linux

3.1