AI & LLM Vulnerabilities

Microsoft APM, a dependency manager for AI agents, had a vulnerability in versions 0.5.4 to 0.12.4 where symbolic links (shortcuts that point to other files) in downloaded packages were followed without checking, potentially allowing attackers to read or write arbitrary files on a developer's machine. The vulnerability went undetected by security checks because the resulting files were not flagged by the package hash verification, security scans, or audit tools.

Microsoft APM is a tool that manages dependencies (external code libraries) for AI agents. Before version 0.8.12, it had a path traversal vulnerability (a security flaw where an attacker can access files outside the intended directory) that allowed malicious plugins to copy arbitrary files from a user's computer during installation by using absolute paths or '../' sequences to escape the plugin directory.

GitHub Copilot CLI (an AI tool that helps developers write code from the command line) has a security vulnerability in versions before 1.0.43 where a malicious bare git repository (a special type of git storage folder with no working files) hidden in a project can trick the tool into running harmful commands. An attacker can exploit git's automatic discovery of these repositories and use configuration keys like core.fsmonitor (settings that tell git what commands to run during normal operations) to execute arbitrary code without the user knowing.

CVE-2026-42893 is a command injection vulnerability (a flaw where an attacker can insert malicious commands by exploiting how special characters are handled) in Microsoft 365 Copilot that allows an unauthorized attacker to tamper with data over a network. The vulnerability has a CVSS 4.0 severity rating (a moderate score on the 0-10 vulnerability severity scale). This issue was reported by Microsoft Corporation and published in May 2026.

CVE-2026-41109 is a security flaw in GitHub Copilot and Visual Studio that allows an attacker to bypass a security feature by improperly handling special characters in output, which are then processed by another component (injection, where untrusted data is inserted into code or commands). The vulnerability can be exploited over a network by unauthorized attackers.

CVE-2026-33833 is a vulnerability in Azure Machine Learning where special characters in output are not properly filtered before being used by another component, allowing an attacker to perform spoofing (pretending to be someone or something else) over a network. The vulnerability has a CVSS score (a 0-10 severity rating) of 4.0, indicating moderate severity. This type of flaw is known as an injection vulnerability (CWE-74), where untrusted data can be used to manipulate downstream processes.

CVE-2026-35435 is a vulnerability in Azure AI Foundry M365 published agents where improper access control (weak rules about who can access what) allows an unauthorized attacker to gain higher privileges over a network. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) assessment that has not yet been provided by NIST.

CVE-2026-33111 is a command injection vulnerability (where an attacker inserts malicious commands into user input) in Copilot Chat for Microsoft Edge that could allow an unauthorized attacker to disclose information over a network. The vulnerability stems from improper handling of special characters in commands. No severity score has been assigned yet by NIST.

CVE-2026-32207 is a cross-site scripting vulnerability (XSS, where an attacker injects malicious code into a web page that gets executed in users' browsers) in Azure Machine Learning that allows an unauthorized attacker to perform spoofing (impersonating someone or something else) over a network. The vulnerability stems from improper handling of user input during web page generation.

CVE-2026-26164 is a vulnerability in Microsoft 365 Copilot caused by improper neutralization of special elements in output (a type of injection attack, where specially crafted input can be misinterpreted as commands). An attacker without authorization could exploit this to access and disclose information over a network.

CVE-2026-26129 is a vulnerability in Microsoft 365 Copilot where improper neutralization of special elements (failure to safely handle certain characters or code) allows an unauthorized attacker to disclose information over a network. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 4.0, indicating moderate severity.

TorchGeo versions 0.4–0.6.0 had a critical vulnerability where the `eval` function (a Python function that executes code from text input) was used in the model weight API, allowing attackers to run arbitrary commands on systems using the library. Any platform exposing TorchGeo's get_weight() or trainers functions publicly was at risk.

The Azure Data Explorer MCP Server (adx-mcp-server) has KQL injection vulnerabilities (a type of code injection where untrusted input is inserted into database queries) in three tools that inspect database tables. Because the `table_name` parameter is directly inserted into Kusto queries (Azure's query language) using f-strings without checking or cleaning the input, an attacker or a prompt-injected AI agent can execute arbitrary database commands, including reading sensitive data or deleting tables.

CVE-2026-26137 is a server-side request forgery vulnerability (SSRF, a flaw where an attacker tricks a server into making unwanted network requests on their behalf) in Microsoft 365 Copilot's Business Chat that allows an authorized attacker to gain elevated privileges over a network. The vulnerability affects an exclusively hosted service and was published on March 19, 2026.