Description
Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.
Published: 2026-05-07
Score: 7.5 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of special elements used as part of a command in Copilot Chat enables an unauthorized attacker to cause the application to disclose information over a network. The weakness, classified as CWE‑77, does not guarantee arbitrary command execution, but it can lead to leakage of sensitive data handled by the application.

Affected Systems

Microsoft Copilot Chat, a feature of Microsoft Edge. No specific product version is listed in the advisory, so any installation containing the Copilot Chat component of Microsoft Edge may be affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact. The EPSS score of 1% suggests a low probability of widespread exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker would need to interact with the Copilot Chat interface or supply crafted input that triggers the command‑injection mechanism to have the application transmit disclosed information over a network.

Generated by OpenCVE AI on June 18, 2026 at 08:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft Edge update that incorporates the fixed Copilot Chat version.
  • Disable the Copilot Chat feature or remove the extension until an update is applied.
  • Stay informed of updates from the Microsoft Security Response Center and apply any future patches promptly.

Generated by OpenCVE AI on June 18, 2026 at 08:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft copilot Chat
CPEs cpe:2.3:a:microsoft:copilot_chat:-:*:*:*:*:microsoft_edge:*:*
Vendors & Products Microsoft copilot Chat

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.
Title Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft copilot Chat Edge
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:copilot_chat_edge:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft copilot Chat Edge
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Copilot Chat Copilot Chat Edge
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T16:13:13.115Z

Reserved: 2026-03-17T20:15:23.720Z

Link: CVE-2026-33111

cve-icon Vulnrichment

Updated: 2026-05-08T19:52:22.927Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T22:16:34.157

Modified: 2026-06-17T10:36:57.850

Link: CVE-2026-33111

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T08:30:04Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')