{ "app": { "bundle_id": "com.microsoft.Office.Outlook", "name": "Microsoft Outlook", "platform": "ios", "current_version": "5.2618.0", "version_code": null }, "version_checked": "4.2200.0", "version_code_checked": null, "warnings": [], "summary": { "affected_count": 3, "fixed_count": 0, "unknown_count": 2, "kev_affected": 0 }, "affected": [ { "cve_id": "CVE-2026-42893", "severity": "HIGH", "cvss_v3_score": 7.4, "is_kev": false, "kev_due_date": null, "fixed_in_version": "5.2617.1", "affected_versions": { "start": null, "start_inclusive": false, "end": "5.2617.1", "end_inclusive": false }, "published": "2026-05-12", "description": "Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network." }, { "cve_id": "CVE-2026-26133", "severity": "HIGH", "cvss_v3_score": 7.1, "is_kev": false, "kev_due_date": null, "fixed_in_version": "5.2605.0", "affected_versions": { "start": null, "start_inclusive": false, "end": "5.2605.0", "end_inclusive": false }, "published": "2026-03-16", "description": "AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network." }, { "cve_id": "CVE-2024-43482", "severity": "MEDIUM", "cvss_v3_score": 6.5, "is_kev": false, "kev_due_date": null, "fixed_in_version": "4.2435.0", "affected_versions": { "start": null, "start_inclusive": false, "end": "4.2435.0", "end_inclusive": false }, "published": "2024-09-10", "description": "Microsoft Outlook for iOS Information Disclosure Vulnerability" } ], "fixed": [], "unknown": [ { "cve_id": "CVE-2019-1218", "severity": "MEDIUM", "cvss_v3_score": 5.4, "is_kev": false, "kev_due_date": null, "fixed_in_version": null, "affected_versions": { "start": null, "start_inclusive": false, "end": null, "end_inclusive": false }, "published": "2019-08-14", "description": "A spoofing vulnerability exists in the way Microsoft Outlook iOS software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.\nThe attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user.\nThe security update addresses the vulnerability by correcting how Outlook iOS parses specially crafted email messages." }, { "cve_id": "CVE-2019-1084", "severity": "MEDIUM", "cvss_v3_score": 6.5, "is_kev": false, "kev_due_date": null, "fixed_in_version": null, "affected_versions": { "start": null, "start_inclusive": false, "end": null, "end_inclusive": false }, "published": "2019-07-15", "description": "An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients., aka 'Microsoft Exchange Information Disclosure Vulnerability'." } ] }