CVE-2026-26133

CWE-77Command Injection5 documents5 sources
Severity
7.1HIGH
EPSS
0.1%
top 83.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
30
Microsoft Microsoft 365 Copilot FOR AndroidMicrosoft Microsoft 365 Copilot FOR IOSMicrosoft Microsoft Edge FOR Android+27 more
Timeline
PublishedMar 16

Description

AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages30 packages

NVDmicrosoft/365_copilot< 2.107.2+1
CVEListV5microsoft/microsoft_365_copilot_for_ios1.02.107.2
CVEListV5microsoft/microsoft_365_copilot_for_android1.016.0.19815.10000
NVDmicrosoft/edge< 145.3800.99
NVDmicrosoft/loop< 2.106

🔴Vulnerability Details

2
GHSA
GHSA-rjf5-cxrf-4rvw: AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network2026-03-16
CVEList
M365 Copilot Information Disclosure Vulnerability2026-03-13

📋Vendor Advisories

1
Microsoft
M365 Copilot Information Disclosure Vulnerability2026-03-10

🕵️Threat Intelligence

1
Wiz
CVE-2026-26133 Impact, Exploitability, and Mitigation Steps | Wiz