{"data":{"id":"59bfbe18-c170-4186-9275-4ac68d7ba97f","title":"CVE-2026-26164: Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allow","summary":"CVE-2026-26164 is a vulnerability in Microsoft 365 Copilot caused by improper neutralization of special elements in output (a type of injection attack, where specially crafted input can be misinterpreted as commands). An attacker without authorization could exploit this to access and disclose information over a network.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-26164","publishedAt":"2026-05-07T22:16:33.773Z","cveId":"CVE-2026-26164","cweIds":["CWE-74"],"cvssScore":"7.5","cvssSeverity":"high","severity":"high","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["Microsoft"],"affectedVendorsRaw":["Microsoft 365 Copilot","M365 Copilot"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-07T22:16:33.773Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0051"]}}