CVE-2026-21521: Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose inf
highvulnerabilityLLM-Specific
security
Summary
CVE-2026-21521 is a vulnerability in Microsoft Copilot where improper handling of escape sequences (special characters used to control how text is displayed or interpreted) allows an attacker to disclose information over a network without authorization. The vulnerability is classified as CWE-150 (improper neutralization of escape, meta, or control sequences) and was reported by Microsoft Corporation.
Vulnerability Details
CVSS Score
7.4(high)
EPSS (30-day exploit probability)
EPSS: 0.1%
Classification
Attack Type
PII Leakage
Attack SophisticationModerate
Impact (CIA+S)
confidentiality
AI Component TargetedAPI
Taxonomy References
CWE (Weakness Type)
Affected Vendors
Microsoft
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-21521
First tracked: February 15, 2026 at 08:51 PM
Classified by LLM (prompt v3) · confidence: 85%