CVE-2026-42824: Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthoriz
mediumvulnerabilityLLM-Specific
security
Summary
CVE-2026-42824 is a command injection vulnerability (a flaw where an attacker inserts malicious commands into user input that gets executed by the system) in Microsoft 365 Copilot that allows an unauthorized attacker to disclose information over a network. The vulnerability stems from improper neutralization of special elements in commands. A CVSS score (a 0-10 rating of how severe a vulnerability is) has not yet been assigned by NIST.
Vulnerability Details
CVSS Score
6.5(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
network
Attack Complexity
low
Privileges Required
none
User Interaction
required
Disclosure Date
June 4, 2026
Classification
Attack Type
Other
Attack SophisticationModerate
Impact (CIA+S)
confidentiality
AI Component TargetedAPI
Affected Vendors
Microsoft
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42824
First tracked: June 5, 2026 at 02:08 AM
Classified by LLM (prompt v3) · confidence: 85%