CVE-2026-33111: Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) all
highvulnerabilityLLM-Specific
security
Summary
CVE-2026-33111 is a command injection vulnerability (where an attacker inserts malicious commands into user input) in Copilot Chat for Microsoft Edge that could allow an unauthorized attacker to disclose information over a network. The vulnerability stems from improper handling of special characters in commands. No severity score has been assigned yet by NIST.
Vulnerability Details
CVSS Score
7.5(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
network
Attack Complexity
low
Privileges Required
none
User Interaction
none
Disclosure Date
May 7, 2026
Classification
Attack Type
Other
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Microsoft
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-33111
First tracked: May 7, 2026 at 08:08 PM
Classified by LLM (prompt v3) · confidence: 85%