What is the CVSS score of CVE-2026-24299?

CVE-2026-24299 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of 365 Copilot are affected by CVE-2026-24299?

CVE-2026-24299 presents moderate security risk, a command injection vulnerability rated CVSS 5.3. Exploitation could allow attackers to execute code or inject malicious input.. A patch is available.

How to fix or mitigate CVE-2026-24299?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.

365 Copilot CVE-2026-24299

EUVD-2026-13178 MEDIUM

Command Injection (CWE-77)

2026-03-19 secure@microsoft.com

Command Injection 365 Copilot

5.3

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.3 MEDIUM

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 19, 2026 - 21:30 euvd

EUVD-2026-13178

Analysis Generated

Mar 19, 2026 - 21:30 vuln.today

CVE Published

Mar 19, 2026 - 21:17 nvd

MEDIUM 5.3

DescriptionCVE.org

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

AnalysisAI

M365 Copilot is vulnerable to command injection that enables unauthenticated remote attackers to extract sensitive information through the network. The vulnerability stems from inadequate sanitization of special characters in command inputs, requiring user interaction to trigger. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Full system compromise — the attacker can execute any command with the privileges of the vulnerable application process. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker injects shell metacharacters (;, \|, &&) into a parameter that is passed to a system command, causing additional commands to be executed.
Remediation	Avoid passing user input to system commands. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-24299 vulnerability details – vuln.today

Back

365 Copilot CVE-2026-24299

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code