Skip to main content

Microsoft 365 Copilot CVE-2026-42895

| EUVDEUVD-2026-38087 HIGH
Command Injection (CWE-77)
2026-06-19 secure@microsoft.com GHSA-fp2r-x59w-m577
7.5
CVSS 3.1 · NVD
Temporal: 5.7
Share

Severity by source

Vendor (microsoft) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CIRCL (temporal)
5.7 MEDIUM
cvss
vuln.today AI
7.5 HIGH

Remote unauthenticated network input with low complexity and no user interaction justifies AV:N/AC:L/PR:N/UI:N; impact is tampering only, so I:H with C:N and A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 26, 2026 - 21:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 21:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 21:52 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 21:52 NVD
MEDIUM HIGH
CVSS changed
Jun 26, 2026 - 21:52 NVD
6.5 (MEDIUM) 7.5 (HIGH)
Analysis Generated
Jun 19, 2026 - 21:54 vuln.today
CVE Published
Jun 19, 2026 - 21:16 nvd
MEDIUM 6.5

DescriptionNVD

Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.

AnalysisAI

Command injection in Microsoft 365 Copilot lets a remote, unauthenticated attacker tamper with data and integrity over the network by injecting unneutralized special elements into a command (CWE-77). The flaw carries a CVSS 7.5 driven entirely by high integrity impact, with no confidentiality or availability loss. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Copilot network interface
Delivery
Submit crafted input with special elements
Exploit
Bypass command neutralization (CWE-77)
Execution
Alter constructed command
Impact
Tamper with data/output integrity

Vulnerability AssessmentAI

Exploitation Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), no special conditions are required - remote, unauthenticated, low-complexity exploitation against the Microsoft 365 Copilot service over the network with no user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker submits crafted input containing unneutralized special characters to a 365 Copilot interface, causing the constructed command to be altered and producing an unintended, attacker-influenced result that tampers with data or output integrity. No authentication or user interaction is required per the CVSS vector, but no public exploit code has been identified, so any attack would currently require independent development.
Remediation Patch available per vendor advisory: Microsoft reports the fix is available and, because 365 Copilot is a cloud service, the mitigation is applied server-side by Microsoft with no customer action required to receive it - confirm your tenant is current via the Microsoft advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42895. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Microsoft 365 Copilot deployments and users; enable Microsoft security notifications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-32711 CRITICAL POC
9.3 Jun 11

CVE-2025-32711 is an AI command injection vulnerability in Microsoft 365 Copilot that enables unauthenticated network-ba

CVE-2021-43905 CRITICAL
9.6 Dec 15

Microsoft Office app Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.6), this vulnerability is remo

CVE-2026-24307 CRITICAL
9.3 Jan 22

M365 Copilot has an input validation vulnerability allowing unauthorized attackers to extract sensitive information thro

CVE-2026-47645 HIGH
8.8 Jun 19

Privilege elevation in Microsoft 365 Copilot's Business Chat is possible when an attacker abuses an open redirect (CWE-6

CVE-2026-45463 HIGH
8.4 Jun 09

Local code execution in Microsoft Office is possible via a heap-based buffer overflow that an unauthorized attacker can

CVE-2026-45474 HIGH
8.4 Jun 09

Local code execution in Microsoft Office is possible through a heap-based buffer overflow that an unauthorized attacker

CVE-2026-45472 HIGH
8.4 Jun 09

Local code execution in Microsoft Office via a heap-based buffer overflow allows an unauthorized attacker to run arbitra

CVE-2026-45461 HIGH
8.4 Jun 09

Local code execution in Microsoft Office via a heap-based buffer overflow that lets an unauthorized attacker run arbitra

CVE-2026-24299 MEDIUM
5.3 Mar 19

M365 Copilot is vulnerable to command injection that enables unauthenticated remote attackers to extract sensitive infor

CVE-2026-45460 MEDIUM
4.7 Jun 09

Out-of-bounds read (buffer over-read) in Microsoft Office exposes sensitive memory contents to a local attacker who can

Share

CVE-2026-42895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy