CVE-2026-45497
published 2026-06-04CVE-2026-45497: Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.45%
36.0th percentile
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_365_copilot | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network.
ghsa_unreviewed·2026-06-05
CVE-2026-45497 [HIGH] CWE-77 Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network.
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network.
VulDB
Microsoft 365 Copilot command injection
vuldb·2026-06-05·CVSS 7.7
CVE-2026-45497 [HIGH] Microsoft 365 Copilot command injection
A vulnerability identified as critical has been detected in Microsoft 365 Copilot. The impacted element is an unknown function. This manipulation causes command injection.
The identification of this vulnerability is CVE-2026-45497. It is possible to initiate the attack remotely. There is no exploit available.
This product is a managed service. This means that users are not able to maintain vulnerability countermeasures themselves.
No detection rules found.
No public exploits indexed.
Talos
Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
blogs_talos·2026-06-09·CVSS 8.8
CVE-2026-42985 [HIGH] Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for June 2026, which includes 206 vulnerabilities affecting a range of products, including 32 that Microsoft marked as “critical”.
Out of 32 "critical" entries, 28 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Windows Active Directory, Windows Kerberos Key Distribution Centre (KDC), Windows Graphics component, Windows Remote Desktop client, Windows Deployment Services (WDS), DHCP Client service, Windows Hyper-V, Windows Kernel and Media, Azure Kubernetes Service (AKS), Microsoft Office, Microsoft Outlook, Microsoft Word, Microsoft SQL server and Windows HTTP Protocol Stack.
Talos highlights 4 cr
Sans Isc
Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)
blogs_sans_isc·2026-06-09·CVSS 8.8
CVE-2026-49160 [HIGH] Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)
Microsoft June 2026 Patch Tuesday
Published: 2026-06-09. Last Updated: 2026-06-09 17:34:29 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Microsoft today released patches for 204 vulnerabilities. 38 of these vulnerabilities are considered critical, and three have been disclosed before today. Six of the vulnerabilities affect Microsoft cloud solutions and do not require any user action. In addition, Microsoft incorporated 360 different vulnerabilities affecting Chromium into its Edge browser.
This is certainly a busier-than-usual patch Tuesday. In particular, the large number of patched Chromium/Edge vulnerabilities underscores the impact of AI tools on vulnerability discovery.
Some noteworthy vulnerabilities:
CVE-2026-49160: This vulnerability was made public a week ago. As implem
Crowdstrike
June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days
blogs_crowdstrike
CVE-2026-45586 June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days
CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks Jun 09, 2026
June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days Jun 09, 2026
CrowdStrike and Zscaler Bring Continuous Identity to Zero Trust Access Jun 08, 2026
3 Principles to Safely Scale Agentic AI Jun 05, 2026
CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks Jun 09, 2026
June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days Jun 09, 2026
CrowdStrike and Zscaler Bring Continuous Identity to Zero Trust Access Jun 08, 2026
3 Principles to Safely Scale Agentic AI Jun 05, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Hel
2026-06-04
Published