{"api_version":"1","generated_at":"2026-04-09T20:37:52+00:00","cve":"CVE-2026-26133","urls":{"html":"https://cve.report/CVE-2026-26133","api":"https://cve.report/api/cve/CVE-2026-26133.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-26133","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-26133"},"summary":{"title":"M365 Copilot Information Disclosure Vulnerability","description":"AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.","state":"PUBLISHED","assigner":"microsoft","published_at":"2026-03-16 14:18:26","updated_at":"2026-04-09 18:16:57"},"problem_types":["CWE-77","CWE-77 CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"],"metrics":[{"version":"3.1","source":"secure@microsoft.com","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C","data":{"baseScore":7.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C","version":"3.1"}}],"references":[{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133","name":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133","refsource":"secure@microsoft.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-26133","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26133","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Microsoft","product":"Microsoft 365 Copilot for Android","version":"affected 1.0 16.0.19815.10000 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft 365 Copilot for iOS","version":"affected 1.0 2.107.2 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Edge for Android","version":"affected 1.0.0 145.3800.99 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Edge for iOS","version":"affected 1.0.0.0 145.3800.99 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Excel for Android","version":"affected 16.0.0.0 16.0.19822.20038 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Excel for iOS","version":"affected 1.0 2.106.26020617 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Loop for iOS","version":"affected 2.0.0 2.106.26020617 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft OneNote","version":"affected 1.0.0 2.106.26020617 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft OneNote for Android","version":"affected 16.0.1 16.0.19725.20142 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Outlook for Android","version":"affected 1.0 5.2605 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Outlook for iOS","version":"affected 1.0.0 5.2605 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Outlook for Mac","version":"affected 1.0.0 5.2605 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft PowerBI for Android","version":"affected 2.0.0 2.2.260210.21290750 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft PowerBI for iOS","version":"affected 1.0.0 1.2.260302.2193910 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft PowerPoint for Android","version":"affected 16.0.0.0 16.0.19822.20038 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft PowerPoint for iOS","version":"affected 1.0 2.106.26020617 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Teams for Android","version":"affected 1.0.0 1.0.0.2026043102 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Teams for iOS","version":"affected 2.0.0 8.3.1 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Word for Android","version":"affected 16.0.0.0 16.0.19822.20038 custom","platforms":[]},{"source":"CNA","vendor":"Microsoft","product":"Microsoft Word for iOS","version":"affected 2.0.0 2.106.26020617 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"365_copilot","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"365_copilot","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"edge","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"edge","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"excel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"excel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"loop","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"onenote","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"onenote","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"outlook","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"outlook","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"outlook","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"macos","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"powerpoint","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"powerpoint","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"power_bi","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"power_bi","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"teams","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"teams","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"word","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"microsoft","cpe5":"word","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"26133","cve":"CVE-2026-26133","epss":"0.000480000","percentile":"0.147990000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:38"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-26133","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-16T14:24:19.473896Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-16T14:24:30.194Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"Microsoft 365 Copilot for Android","vendor":"Microsoft","versions":[{"lessThan":"16.0.19815.10000","status":"affected","version":"1.0","versionType":"custom"}]},{"product":"Microsoft 365 Copilot for iOS","vendor":"Microsoft","versions":[{"lessThan":"2.107.2","status":"affected","version":"1.0","versionType":"custom"}]},{"product":"Microsoft Edge for Android","vendor":"Microsoft","versions":[{"lessThan":"145.3800.99","status":"affected","version":"1.0.0","versionType":"custom"}]},{"product":"Microsoft Edge for iOS","vendor":"Microsoft","versions":[{"lessThan":"145.3800.99","status":"affected","version":"1.0.0.0","versionType":"custom"}]},{"product":"Microsoft Excel for Android","vendor":"Microsoft","versions":[{"lessThan":"16.0.19822.20038","status":"affected","version":"16.0.0.0","versionType":"custom"}]},{"product":"Microsoft Excel for iOS","vendor":"Microsoft","versions":[{"lessThan":"2.106.26020617","status":"affected","version":"1.0","versionType":"custom"}]},{"product":"Microsoft Loop for iOS","vendor":"Microsoft","versions":[{"lessThan":"2.106.26020617","status":"affected","version":"2.0.0","versionType":"custom"}]},{"product":"Microsoft OneNote","vendor":"Microsoft","versions":[{"lessThan":"2.106.26020617","status":"affected","version":"1.0.0","versionType":"custom"}]},{"product":"Microsoft OneNote for Android","vendor":"Microsoft","versions":[{"lessThan":"16.0.19725.20142","status":"affected","version":"16.0.1","versionType":"custom"}]},{"product":"Microsoft Outlook for Android","vendor":"Microsoft","versions":[{"lessThan":"5.2605","status":"affected","version":"1.0","versionType":"custom"}]},{"product":"Microsoft Outlook for iOS","vendor":"Microsoft","versions":[{"lessThan":"5.2605","status":"affected","version":"1.0.0","versionType":"custom"}]},{"product":"Microsoft Outlook for Mac","vendor":"Microsoft","versions":[{"lessThan":"5.2605","status":"affected","version":"1.0.0","versionType":"custom"}]},{"product":"Microsoft PowerBI for Android","vendor":"Microsoft","versions":[{"lessThan":"2.2.260210.21290750","status":"affected","version":"2.0.0","versionType":"custom"}]},{"product":"Microsoft PowerBI for iOS","vendor":"Microsoft","versions":[{"lessThan":"1.2.260302.2193910","status":"affected","version":"1.0.0","versionType":"custom"}]},{"product":"Microsoft PowerPoint for Android","vendor":"Microsoft","versions":[{"lessThan":"16.0.19822.20038","status":"affected","version":"16.0.0.0","versionType":"custom"}]},{"product":"Microsoft PowerPoint for iOS","vendor":"Microsoft","versions":[{"lessThan":"2.106.26020617","status":"affected","version":"1.0","versionType":"custom"}]},{"product":"Microsoft Teams for Android","vendor":"Microsoft","versions":[{"lessThan":"1.0.0.2026043102","status":"affected","version":"1.0.0","versionType":"custom"}]},{"product":"Microsoft Teams for iOS","vendor":"Microsoft","versions":[{"lessThan":"8.3.1","status":"affected","version":"2.0.0","versionType":"custom"}]},{"product":"Microsoft Word for Android","vendor":"Microsoft","versions":[{"lessThan":"16.0.19822.20038","status":"affected","version":"16.0.0.0","versionType":"custom"}]},{"product":"Microsoft Word for iOS","vendor":"Microsoft","versions":[{"lessThan":"2.106.26020617","status":"affected","version":"2.0.0","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:microsoft:onenote_for_ios:*:*:*:*:*:*:*:*","versionEndExcluding":"2.106.26020617","versionStartIncluding":"1.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:outlook:*:*:*:*:*:macos:*:*","versionEndExcluding":"5.2605","versionStartIncluding":"1.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:outlook_2016:*:*:*:*:*:android:*:*","versionEndExcluding":"5.2605","versionStartIncluding":"1.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:365_copilot_iOS:*:*:*:*:*:*:*:*","versionEndExcluding":"2.107.2","versionStartIncluding":"1.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*","versionEndExcluding":"145.3800.99","versionStartIncluding":"1.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:teams:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"8.3.1","versionStartIncluding":"2.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:teams:*:*:*:*:*:android:*:*","versionEndExcluding":"1.0.0.2026043102","versionStartIncluding":"1.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:excel:*:*:*:*:*:android:*:*","versionEndExcluding":"16.0.19822.20038","versionStartIncluding":"16.0.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:word:*:*:*:*:*:android:*:*","versionEndExcluding":"16.0.19822.20038","versionStartIncluding":"16.0.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:powerpoint:*:*:iOS:*:*:*:*:*","versionEndExcluding":"2.106.26020617","versionStartIncluding":"1.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:word:*:*:iOS:*:*:*:*:*","versionEndExcluding":"2.106.26020617","versionStartIncluding":"2.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:loop:*:*:iOS:*:*:*:*:*","versionEndExcluding":"2.106.26020617","versionStartIncluding":"2.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:outlook:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"5.2605","versionStartIncluding":"1.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:365_copilot_Android:*:*:*:*:*:*:*:*","versionEndExcluding":"16.0.19815.10000","versionStartIncluding":"1.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:power_bi_android:*:*:*:*:*:*:*:*","versionEndExcluding":"2.2.260210.21290750","versionStartIncluding":"2.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:power_bi_iOS:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.260302.2193910","versionStartIncluding":"1.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:onenote_for_android:*:*:*:*:*:*:*:*","versionEndExcluding":"16.0.19725.20142","versionStartIncluding":"16.0.1","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:edge:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"145.3800.99","versionStartIncluding":"1.0.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:android:*:*","versionEndExcluding":"16.0.19822.20038","versionStartIncluding":"16.0.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:microsoft:excel:*:*:iOS:*:*:*:*:*","versionEndExcluding":"2.106.26020617","versionStartIncluding":"1.0","vulnerable":true}],"negate":false,"operator":"OR"}]}],"datePublic":"2026-03-12T14:00:00.000Z","descriptions":[{"lang":"en-US","value":"AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network."}],"metrics":[{"cvssV3_1":{"baseScore":7.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en-US","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-77","description":"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')","lang":"en-US","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-09T18:05:12.027Z","orgId":"f38d906d-7342-40ea-92c1-6c4a2c6478c8","shortName":"microsoft"},"references":[{"name":"M365 Copilot Information Disclosure Vulnerability","tags":["vendor-advisory","patch"],"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133"}],"title":"M365 Copilot Information Disclosure Vulnerability"}},"cveMetadata":{"assignerOrgId":"f38d906d-7342-40ea-92c1-6c4a2c6478c8","assignerShortName":"microsoft","cveId":"CVE-2026-26133","datePublished":"2026-03-13T21:10:13.535Z","dateReserved":"2026-02-11T16:24:51.133Z","dateUpdated":"2026-04-09T18:05:12.027Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-16 14:18:26","lastModifiedDate":"2026-04-09 18:16:57","problem_types":["CWE-77","CWE-77 CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"],"metrics":{"cvssMetricV31":[{"source":"secure@microsoft.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"2.107.2","matchCriteriaId":"236E57A2-4772-4C84-9AA5-E623FC2F547E"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:android:*:*","versionEndExcluding":"16.0.19815.10000","matchCriteriaId":"7AEBF186-6FE1-4808-B812-A55DFFB629B3"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*","versionEndExcluding":"145.3800.99","matchCriteriaId":"096B9A15-8DA4-4DC2-A2D7-70FB7D50A578"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:edge:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"145.3800.99","matchCriteriaId":"70EE133F-A117-4F41-85E7-E3E29E6598F3"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:excel:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"2.106.2","matchCriteriaId":"D3D0FC9C-4FF7-48D2-B6B5-C0F631B1A07F"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:excel:*:*:*:*:*:android:*:*","versionEndExcluding":"16.0.19822.20038","matchCriteriaId":"6C12366E-9991-4265-9939-904BFE430989"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:loop:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"2.106","matchCriteriaId":"1766DBAA-0153-438F-BD60-73381334AB11"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:onenote:*:*:*:*:*:android:*:*","versionEndExcluding":"16.0.19725.20142","matchCriteriaId":"67CB78F7-2EBE-4657-8AB8-33F7CA0D1A58"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:onenote:-:*:*:*:*:iphone_os:*:*","matchCriteriaId":"C473D8B1-69DA-4252-9A99-603CE3344D1D"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:outlook:*:*:*:*:*:android:*:*","versionEndExcluding":"5.2605.0","matchCriteriaId":"2FBAA043-3D54-4970-A074-717A31C54D63"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:outlook:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"5.2605.0","matchCriteriaId":"6401B00C-BB0F-434F-B777-5A2ED4E55CF6"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:outlook:-:*:*:*:*:macos:*:*","matchCriteriaId":"287DF1D6-0949-4AB3-8AB3-625CE745218A"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:power_bi:*:*:*:*:*:android:*:*","versionEndExcluding":"2.2.260210.21290750","matchCriteriaId":"5E95BF2F-3ED5-47EA-AFF2-739E19E3F185"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:power_bi:-:*:*:*:*:iphone_os:*:*","matchCriteriaId":"231BEECA-EECC-4F9F-A274-155F88C0DB13"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"2.106.2","matchCriteriaId":"92DE0FB6-FD20-4838-9110-1639534C85D5"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:android:*:*","versionEndExcluding":"16.0.19822.20038","matchCriteriaId":"432B5138-77FA-4282-944C-822842E55852"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:teams:*:*:*:*:*:android:*:*","versionEndExcluding":"1.0.0.2026043102","matchCriteriaId":"723599DE-2621-4A05-840B-97394B6B0895"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:teams:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"8.3.1","matchCriteriaId":"E90345E3-4412-46BE-9F5F-10C679F5B5FB"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:word:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"2.106.2","matchCriteriaId":"E3303015-2B25-4344-9F27-9257707AEA1F"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:word:*:*:*:*:*:android:*:*","versionEndExcluding":"16.0.19822.20038","matchCriteriaId":"90BE21AE-F476-4520-A9BA-7ECF36CC977D"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"26133","Ordinal":"1","Title":"M365 Copilot Information Disclosure Vulnerability","CVE":"CVE-2026-26133","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"26133","Ordinal":"1","NoteData":"AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.","Type":"Description","Title":"M365 Copilot Information Disclosure Vulnerability"}]}}}