CVE-2026-45497: Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an autho
highvulnerabilityLLM-Specific
security
Summary
CVE-2026-45497 is a command injection (a flaw where special characters in user input are not properly filtered, allowing an attacker to insert and run unintended commands) vulnerability in Microsoft Copilot that lets an authorized attacker execute code over a network. The vulnerability has not yet received a CVSS score (a 0-10 rating of how severe a vulnerability is) from NIST.
Vulnerability Details
CVSS Score
7.7(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Attack Vector
network
Attack Complexity
high
Privileges Required
low
User Interaction
none
Disclosure Date
June 4, 2026
Classification
Attack Type
Other
Attack SophisticationModerate
Impact (CIA+S)
integrityavailability
Affected Vendors
Microsoft
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-45497
First tracked: June 5, 2026 at 02:08 AM
Classified by LLM (prompt v3) · confidence: 85%