Description
Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network.
Published: 2026-01-22
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper neutralization of escape, meta, or control sequences within Microsoft 365 Word Copilot. An unauthorized attacker can exploit this flaw to send sensitive data over the network, exposing confidential information. This flaw corresponds to the Access Control Weakness CWE‑150, directly impacting the confidentiality of user data.

Affected Systems

The flaw affects Microsoft 365 Word Copilot components across all supported platforms; specific version details are not disclosed, so all installations of Word Copilot may be impacted.

Risk and Exploitability

The issue carries a CVSS score of 7.4, indicating high severity, yet the EPSS score of less than 1% reflects a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, and no known workaround exists. The likely attack vector involves the use of malicious control sequences in a Word document processed by Copilot, enabling an attacker to read or transmit data over the network.

Generated by OpenCVE AI on April 16, 2026 at 07:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest security update for Microsoft 365 Word Copilot from Microsoft
  • Disable or restrict the Word Copilot feature in affected documents until the patch is applied
  • Monitor network traffic for unauthorized data transmission and apply additional controls if needed

Generated by OpenCVE AI on April 16, 2026 at 07:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:365_word_copilot:-:*:*:*:*:*:*:*

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network.
Title Word Copilot Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Word Copilot
Weaknesses CWE-150
CPEs cpe:2.3:a:microsoft:365_word_copilot:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Word Copilot
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Word Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:49:27.034Z

Reserved: 2025-12-30T18:10:54.846Z

Link: CVE-2026-21521

cve-icon Vulnrichment

Updated: 2026-01-23T20:02:10.801Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T23:15:57.823

Modified: 2026-02-02T13:30:53.350

Link: CVE-2026-21521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:45:06Z

Weaknesses