Jan 2026: Word Copilot Information Disclosure Vulnerability
CVE-2026-21521 Published on January 22, 2026
Word Copilot Information Disclosure Vulnerability
Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network.
Weakness Type
Improper Neutralization of Escape, Meta, or Control Sequences
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.
Products Associated with CVE-2026-21521
Want to know whenever a new CVE is published for Microsoft 365 Word Copilot? stack.watch will email you.
Affected Versions
Microsoft 365 Word Copilot Version - is affected by CVE-2026-21521Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.