Mar 2026: M365 Copilot Information Disclosure Vulnerability
CVE-2026-26133 Published on March 13, 2026

M365 Copilot Information Disclosure Vulnerability
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Vendor Advisory NVD

Weakness Type

What is a Command Injection Vulnerability?

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVE-2026-26133 has been classified to as a Command Injection vulnerability or weakness.


Products Associated with CVE-2026-26133

Want to know whenever a new CVE is published for Microsoft products? stack.watch will email you.

Microsoft Onenote For Ios
 
Microsoft Outlook
 
Microsoft Outlook 2016
 
Microsoft 365 Copilot Ios
 
Microsoft Edge Browser
 
Microsoft Teams
 
Microsoft Excel
 
Microsoft Word
 
Microsoft Powerpoint
 
Microsoft Loop
 
Microsoft 365 Copilot Android
 
Microsoft Power Bi Android
 
Microsoft Power Bi Ios
 
Microsoft Onenote For Android
 

Affected Versions

Microsoft 365 Copilot for Android: Microsoft 365 Copilot for iOS: Microsoft Edge for Android: Microsoft Edge for iOS: Microsoft Excel for Android: Microsoft Excel for iOS: Microsoft Loop for iOS: Microsoft OneNote: Microsoft OneNote for Android: Microsoft Outlook for Android: Microsoft Outlook for iOS: Microsoft Outlook for Mac: Microsoft PowerBI for Android: Microsoft PowerBI for iOS: Microsoft PowerPoint for Android: Microsoft PowerPoint for iOS: Microsoft Teams for Android: Microsoft Teams for iOS: Microsoft Word for Android: Microsoft Word for iOS:

Exploit Probability

EPSS
0.06%
Percentile
18.14%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.