CVE-2026-42895
published 2026-06-19CVE-2026-42895: Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering…
PriorityP351high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.40%
31.7th percentile
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_365_copilot | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft Copilot privilege escalation (EUVD-2026-38087)
vuldb·2026-06-20
CVE-2026-42895 [CRITICAL] Microsoft Copilot privilege escalation (EUVD-2026-38087)
A vulnerability, which was classified as critical, has been found in Microsoft Copilot. Affected by this vulnerability is an unknown functionality. The manipulation leads to privilege escalation.
This vulnerability is uniquely identified as CVE-2026-42895. The attack can only be initiated within the local network. No exploit exists.
GHSA
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
ghsa_unreviewed·2026-06-19
CVE-2026-42895 [MEDIUM] CWE-77 Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published