Description
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
Published: 2026-06-19
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Microsoft 365 Copilot, an attacker can exploit improper neutralization of special elements used in a command, resulting in command injection. This flaw enables an unauthorized user to execute arbitrary commands or commands that tamper with the system over a network, potentially compromising confidentiality, integrity, or availability of the affected services.

Affected Systems

Microsoft 365 Copilot is the affected product. No specific version information is provided; all current deployments of Microsoft 365 Copilot may be impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score is not available, so precise exploitation likelihood cannot be quantified, but the flaw is a classic command injection that can be triggered remotely over the network. The vulnerability is not listed in the CISA KEV catalog. Attackers with network access to Copilot services could feasibly inject malicious commands, leading to unauthorized tampering or execution of arbitrary code.

Generated by OpenCVE AI on June 19, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update that addresses command injection in Microsoft 365 Copilot.
  • Restrict network access to Copilot endpoints, ensuring only trusted users and systems can interact with the service.
  • Implement monitoring and logging to detect suspicious command activity and review logs for signs of exploitation.

Generated by OpenCVE AI on June 19, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
Title Microsoft Copilot Tampering Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T20:27:46.785Z

Reserved: 2026-04-30T22:35:54.967Z

Link: CVE-2026-42895

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:30:05Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')