CVE-2026-26136: Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unaut
mediumvulnerabilityLLM-Specific
security
Summary
CVE-2026-26136 is a command injection vulnerability (a flaw where an attacker can insert malicious commands by exploiting improper filtering of special characters) in Microsoft Copilot that allows an unauthorized attacker to access and disclose sensitive information over a network.
Vulnerability Details
CVSS Score
6.5(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
network
Attack Complexity
low
Privileges Required
none
User Interaction
required
Disclosure Date
March 19, 2026
Classification
Attack Type
Other
Attack SophisticationModerate
Impact (CIA+S)
confidentiality
AI Component TargetedAPI
Affected Vendors
Microsoft
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-26136
First tracked: March 19, 2026 at 06:07 PM
Classified by LLM (prompt v3) · confidence: 85%