Description
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
Published: 2026-05-22
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of special elements used in commands within Microsoft 365 Copilot for iOS, which is defined as a command injection flaw (CWE‑77). An attacker who can supply unauthenticated input can cause the application to execute arbitrary system commands, enabling tampering with data, application functionality, or device state over a network. This directly translates to potential remote code execution, unauthorized modification, and compromise of the hosting iOS device.

Affected Systems

Affected is Microsoft 365 Copilot for iOS, a Microsoft 365 feature available on iOS devices. No specific version information was supplied, so all deployments of the Copilot for iOS add‑on are potentially impacted until a patch is released.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. No EPSS score has been published, so the exploitation probability is currently unknown; however, the lack of KEV listing suggests no publicly known exploits yet. The description indicates the vulnerability can be abused over a network, implying the attack vector is remote. With a high severity score and the possibility of network‑based exploitation, the risk to affected environments remains significant until the vendor issues a fix.

Generated by OpenCVE AI on May 22, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Microsoft 365 Copilot to the latest version available on iOS.
  • If possible, restrict or block the application's network access using device management policies.
  • Implement monitoring of application logs and network traffic for unusual command‑execution activity.

Generated by OpenCVE AI on May 22, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft 365 Copilot Ios
Vendors & Products Microsoft 365 Copilot Ios

Fri, 22 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
Title Microsoft Copilot Tampering Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot Ios
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:365_copilot_iOS:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot Ios
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot Ios 365 Copilot Ios
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-22T22:03:09.052Z

Reserved: 2026-04-16T19:12:36.194Z

Link: CVE-2026-41090

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T00:00:05Z

Weaknesses