CVE-2026-42895

MEDIUM

Microsoft Copilot Tampering Vulnerability

Title source: cna
STIX 2.1

Description

Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory patch
Microsoft Copilot Tampering Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42895

Scores

CVSS v3 6.5
EPSS 0.0040
EPSS Percentile 31.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-77
Status published
Products (2)
microsoft/365_copilot
Microsoft/Microsoft 365 Copilot -
Published Jun 19, 2026
Tracked Since Jun 20, 2026