CVE-2026-26133: AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

high7.1CVSS 3.1

AVNACLPRNUIRSUCHILAN

AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Affected

55 ranges· showing 25

Vendor	Product	Version range	Fixed in
microsoft	365_copilot	< 2.107.2	2.107.2
microsoft	365_copilot	< 16.0.19815.10000	16.0.19815.10000
microsoft	edge	< 145.3800.99	145.3800.99
microsoft	excel	< 2.106.2	2.106.2
microsoft	excel	< 16.0.19822.20038	16.0.19822.20038
microsoft	loop	< 2.106	2.106
microsoft	microsoft_365_copilot_for_android	>= 1.0 < 16.0.19815.10000	16.0.19815.10000
microsoft	microsoft_365_copilot_for_ios	>= 1.0 < 2.107.2	2.107.2
microsoft	microsoft_edge_for_android	>= 1.0.0 < 145.3800.99	145.3800.99
microsoft	microsoft_edge_for_ios	>= 1.0.0.0 < 145.3800.99	145.3800.99
microsoft	microsoft_excel_for_android	>= 16.0.0.0 < 16.0.19822.20038	16.0.19822.20038
microsoft	microsoft_excel_for_ios	>= 1.0 < 2.106.26020617	2.106.26020617
microsoft	microsoft_loop_for_ios	>= 2.0.0 < 2.106.26020617	2.106.26020617
microsoft	microsoft_onenote	>= 1.0.0 < 2.106.26020617	2.106.26020617
microsoft	microsoft_onenote_for_android	>= 16.0.1 < 16.0.19725.20142	16.0.19725.20142
microsoft	microsoft_outlook_for_android	>= 1.0 < 5.2605	5.2605
microsoft	microsoft_outlook_for_ios	>= 1.0.0 < 5.2605	5.2605
microsoft	microsoft_outlook_for_mac	>= 1.0.0 < 5.2605	5.2605
microsoft	microsoft_powerbi_for_android	>= 2.0.0 < 2.2.260210.21290750	2.2.260210.21290750
microsoft	microsoft_powerbi_for_ios	>= 1.0.0 < 1.2.260302.2193910	1.2.260302.2193910
microsoft	microsoft_powerpoint_for_android	>= 16.0.0.0 < 16.0.19822.20038	16.0.19822.20038
microsoft	microsoft_powerpoint_for_ios	>= 1.0 < 2.106.26020617	2.106.26020617
microsoft	microsoft_teams_for_android	>= 1.0.0 < 1.0.0.2026043102	1.0.0.2026043102
microsoft	microsoft_teams_for_ios	>= 2.0.0 < 8.3.1	8.3.1
microsoft	microsoft_word_for_android	>= 16.0.0.0 < 16.0.19822.20038	16.0.19822.20038