Description
Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.
Published: 2026-05-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of special elements used in a command in Copilot Chat enables an unauthorized attacker to run arbitrary commands, which can cause sensitive information to be disclosed over a network. The weakness, identified as CWE‑77, results in an information‑disclosure vulnerability that could allow attackers to exfiltrate data or learn internal system details without needing elevated privileges. This type of flaw may compromise confidentiality of data handled by the application.

Affected Systems

Microsoft Copilot Chat, a feature of Microsoft Edge. No specific product version details are provided in the current advisory, so the issue may affect any installation that contains the Copilot Chat component of Microsoft Edge at present.

Risk and Exploitability

The CVSS score for this vulnerability is 7.5, indicating a high severity level. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting that while the flaw is serious, there is limited publicly reported exploitation at this time. The likely attack vector is remote, inferred from the description that disclosure occurs over a network and that an unauthorized attacker could exploit the command injection. Exploitation would require the attacker to interact with the Copilot Chat interface or supply crafted input that triggers the command injection, after which the application may transmit leaked information to the attacker.

Generated by OpenCVE AI on May 7, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft Edge update that includes the fixed Copilot Chat version.
  • Disable the Copilot Chat feature or remove the extension until the update is applied.
  • Limit network exposure for Copilot Chat by applying firewall or application whitelisting rules to prevent unauthorized data transmission.

Generated by OpenCVE AI on May 7, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft copilot Chat
CPEs cpe:2.3:a:microsoft:copilot_chat:-:*:*:*:*:microsoft_edge:*:*
Vendors & Products Microsoft copilot Chat

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.
Title Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft copilot Chat Edge
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:copilot_chat_edge:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft copilot Chat Edge
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Copilot Chat Copilot Chat Edge
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T19:33:51.687Z

Reserved: 2026-03-17T20:15:23.720Z

Link: CVE-2026-33111

cve-icon Vulnrichment

Updated: 2026-05-08T19:52:22.927Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T22:16:34.157

Modified: 2026-05-14T14:31:11.830

Link: CVE-2026-33111

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T00:30:25Z

Weaknesses