CVE-2026-48561: Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unaut
Summary
CVE-2026-48561 is a command injection vulnerability (a flaw where an attacker tricks software into running unintended commands by inserting special characters into input) in Microsoft Copilot that allows an unauthorized attacker to execute code over a network. The vulnerability stems from improper handling of special elements in commands. Details about the severity and available fixes are still being assessed.
Vulnerability Details
9.6(critical)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
network
low
none
required
July 14, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-48561
First tracked: July 14, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 85%