Microsoft 365 Copilot vulnerabilities
10 known vulnerabilities affecting microsoft/microsoft_365_copilot.
Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH8MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-45497P2HIGHCVSS 8.8v-2026-06-04
CVE-2026-45497 [HIGH] CWE-77 CVE-2026-45497: Improper neutralization of special elements used in a command ('command injection') in Microsoft Cop
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network.
nvd
CVE-2026-42824P2HIGHCVSS 7.5v-2026-06-04
CVE-2026-42824 [HIGH] CWE-77 CVE-2026-42824: Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disc
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
nvd
CVE-2025-32711P3HIGHCVSS 7.5v-2025-06-11
CVE-2025-32711 [HIGH] CWE-74 CVE-2025-32711: Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a
Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
nvd
CVE-2026-54130P3HIGHCVSS 7.5v-2026-06-18
CVE-2026-54130 [HIGH] CWE-306 CVE-2026-54130: Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disc
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
nvd
CVE-2026-42895P3HIGHCVSS 7.5v-2026-06-19
CVE-2026-42895 [HIGH] CWE-77 CVE-2026-42895: Improper neutralization of special elements used in a command ('command injection') in Microsoft Cop
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
nvd
CVE-2026-33102P3CRITICALCVSS 9.3v-2026-04-23
CVE-2026-33102 [CRITICAL] CWE-601 CVE-2026-33102: Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker
Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.
nvd
CVE-2026-42827P3HIGHCVSS 7.5v-2026-05-22
CVE-2026-42827 [HIGH] CWE-77 CVE-2026-42827: Improper neutralization of special elements used in a command ('command injection') in M365 Copilot
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
cvelistv5nvd
CVE-2026-47645P3HIGHCVSS 8.8v-2026-06-19
CVE-2026-47645 [HIGH] CWE-601 CVE-2026-47645: Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows
Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.
nvd
CVE-2026-24307P3HIGHCVSS 7.5v-2026-01-22
CVE-2026-24307 [HIGH] CWE-1287 CVE-2026-24307: Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to di
Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network.
nvd
CVE-2026-24299P4MEDIUMCVSS 5.3v-2026-03-19
CVE-2026-24299 [MEDIUM] CWE-77 CVE-2026-24299: Improper neutralization of special elements used in a command ('command injection') in M365 Copilot
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
nvd