Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2026-41090: Microsoft Copilot Command Injection Vulnerability
CVE-2026-41090
Summary
An attacker can inject malicious commands into Microsoft Copilot, potentially allowing them to access or modify sensitive data over a network. This vulnerability puts users' data at risk. To protect your organization, ensure you're running the latest version of Microsoft Copilot and consider implementing additional security measures.
Original title
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
Original description
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
nvd CVSS3.1
9.3
Vulnerability type
CWE-77
Command Injection
Published: 22 May 2026 · Updated: 28 May 2026 · First seen: 26 May 2026