CVE-2026-42893: Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthoriz
highvulnerabilityLLM-Specific
security
Summary
CVE-2026-42893 is a command injection vulnerability (a flaw where an attacker can insert malicious commands by exploiting how special characters are handled) in Microsoft 365 Copilot that allows an unauthorized attacker to tamper with data over a network. The vulnerability has a CVSS 4.0 severity rating (a moderate score on the 0-10 vulnerability severity scale). This issue was reported by Microsoft Corporation and published in May 2026.
Vulnerability Details
CVSS Score
7.4(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Attack Vector
network
Attack Complexity
low
Privileges Required
none
User Interaction
required
Disclosure Date
May 12, 2026
Classification
Attack Type
Other
Attack SophisticationModerate
Impact (CIA+S)
integrity
AI Component TargetedAPI
Affected Vendors
Microsoft
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42893
First tracked: May 12, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 85%