Description
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network.
Published: 2026-05-12
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements used in a command string provided by M365 Copilot can lead to command injection. When an unauthorized attacker supplies specially crafted input it may cause the Outlook for iOS application to execute arbitrary commands, which can in turn modify or tamper with data over the network. The primary impact is the potential for a malicious actor to alter or disrupt content through these injected commands.

Affected Systems

Microsoft Outlook for iOS on iPhone OS is the identified product. No specific affected versions are listed in the CNA data, so all installations of the application are potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity risk, but the EPSS score is unavailable and the vulnerability is not listed in CISA KEV. Based on the description, the attack vector is likely remote, via network traffic that interacts with Outlook for iOS. An attacker must be able to supply input that reaches the vulnerable command processing routine, possibly by using features enabled by M365 Copilot. While the exact conditions for exploitation are not fully detailed, the existence of a command injection flaw suggests that if an attacker can influence input, they can execute arbitrary commands and tamper with data.

Generated by OpenCVE AI on May 12, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft Outlook for iOS update that contains the command‑injection fix
  • If possible, disable or restrict the use of M365 Copilot within Outlook for iOS to limit exposure
  • Monitor network traffic and application logs for anomalous command execution or tampering attempts
  • Follow Microsoft’s security update advisories for additional patches or configuration changes

Generated by OpenCVE AI on May 12, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network.
Title Microsoft Outlook for iOS Tampering Vulnerability
First Time appeared Microsoft
Microsoft outlook
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:outlook:*:*:*:*:*:iphone_os:*:*
Vendors & Products Microsoft
Microsoft outlook
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Outlook
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-14T18:08:59.721Z

Reserved: 2026-04-30T22:35:54.966Z

Link: CVE-2026-42893

cve-icon Vulnrichment

Updated: 2026-05-13T10:19:16.449Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:26.343

Modified: 2026-05-13T18:37:09.340

Link: CVE-2026-42893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T04:30:05Z

Weaknesses