CVE-2026-26133

moderate-risk

Published 2026-03-16

AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.1/10 High

NETWORK / LOW complexity

365 Copilot

Edge

Excel

Loop

Onenote

Outlook

Power Bi

Powerpoint

Teams

Word

Microsoft

Vendor Advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133

/ 100

moderate-risk

Severity 25/34 · High

Exploitability 0/34 · Minimal

Exposure 20/34 · Moderate