Skip to main content

Microsoft 365 Copilot For Android

3 CVEs product

Monthly

CVE-2026-48561 CRITICAL PATCH NEWS Exploit Unlikely Act Now

Remote code execution in the Microsoft 365 Copilot mobile apps for Android and iOS lets an unauthenticated attacker run code across a security boundary by getting a user to interact with crafted content (CWE-77 command injection). The CVSS 9.6 rating reflects network reach, low complexity, no privileges, and a changed scope with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, but a vendor patch is available and the flaw was self-reported by Microsoft.

Microsoft Command Injection Microsoft 365 Copilot For Android Microsoft 365 Copilot For Ios
NVD
CVSS 3.1
9.6
EPSS
0.8%
CVE-2026-41100 MEDIUM PATCH This Month

Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.

Authentication Bypass Microsoft 365 Copilot For Android
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-26133 HIGH PATCH This Week

CVE-2026-26133 is an AI command injection vulnerability in Microsoft 365 Copilot and multiple Microsoft mobile/desktop applications that allows remote attackers to disclose sensitive information through crafted AI prompts. The vulnerability affects numerous Microsoft products across iOS, Android, and macOS platforms, requires user interaction, and has a patch available from Microsoft with no current evidence of active exploitation (not in KEV).

Command Injection Microsoft 365 Copilot For Android Microsoft 365 Copilot For Ios Microsoft Edge For Android Microsoft Edge For Ios +16
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
EPSS 1% CVSS 9.6
CRITICAL PATCH Exploit Unlikely Act Now

Remote code execution in the Microsoft 365 Copilot mobile apps for Android and iOS lets an unauthenticated attacker run code across a security boundary by getting a user to interact with crafted content (CWE-77 command injection). The CVSS 9.6 rating reflects network reach, low complexity, no privileges, and a changed scope with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, but a vendor patch is available and the flaw was self-reported by Microsoft.

Microsoft Command Injection Microsoft 365 Copilot For Android +1
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.

Authentication Bypass Microsoft 365 Copilot For Android
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

CVE-2026-26133 is an AI command injection vulnerability in Microsoft 365 Copilot and multiple Microsoft mobile/desktop applications that allows remote attackers to disclose sensitive information through crafted AI prompts. The vulnerability affects numerous Microsoft products across iOS, Android, and macOS platforms, requires user interaction, and has a patch available from Microsoft with no current evidence of active exploitation (not in KEV).

Command Injection Microsoft 365 Copilot For Android Microsoft 365 Copilot For Ios +18
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy