HIGH 7.1
CVE-2026-26133
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVSS v3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Affected mobile apps
Microsoft Edge
com.microsoft.msedge
1 open
Microsoft Edge
com.microsoft.emmx
1 open
Microsoft Excel
com.microsoft.Office.Excel
1 open
Microsoft Excel
com.microsoft.office.excel
1 open
Microsoft OneNote
com.microsoft.onenote
1 open
Microsoft OneNote
com.microsoft.office.onenote
1 open
Microsoft Outlook
com.microsoft.office.outlook
1 open
Microsoft Outlook
com.microsoft.Office.Outlook
1 open
Microsoft PowerPoint
com.microsoft.Office.PowerPoint
1 open
Microsoft PowerPoint
com.microsoft.office.powerpoint
1 open
Microsoft Teams
com.microsoft.teams
1 open
Microsoft Teams
com.microsoft.skype.teams
1 open
Microsoft Word
com.microsoft.Office.Word
1 open
Microsoft Word
com.microsoft.office.word
1 open
Vulnerable CPE configurations
| Vendor | Product | Platform | Versions | CPE 2.3 URI |
|---|---|---|---|---|
| microsoft | 365_copilot | iOS | <2.107.2 | cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:iphone_os:*:* |
| microsoft | 365_copilot | Android | <16.0.19815.10000 | cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:android:*:* |
| microsoft | edge | Android | <145.3800.99 | cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:* |
| microsoft | edge | iOS | <145.3800.99 | cpe:2.3:a:microsoft:edge:*:*:*:*:*:iphone_os:*:* |
| microsoft | excel | iOS | <2.106.2 | cpe:2.3:a:microsoft:excel:*:*:*:*:*:iphone_os:*:* |
| microsoft | excel | Android | <16.0.19822.20038 | cpe:2.3:a:microsoft:excel:*:*:*:*:*:android:*:* |
| microsoft | loop | iOS | <2.106 | cpe:2.3:a:microsoft:loop:*:*:*:*:*:iphone_os:*:* |
| microsoft | onenote | Android | <16.0.19725.20142 | cpe:2.3:a:microsoft:onenote:*:*:*:*:*:android:*:* |
| microsoft | onenote | iOS | — | cpe:2.3:a:microsoft:onenote:-:*:*:*:*:iphone_os:*:* |
| microsoft | outlook | Android | <5.2605.0 | cpe:2.3:a:microsoft:outlook:*:*:*:*:*:android:*:* |
| microsoft | outlook | iOS | <5.2605.0 | cpe:2.3:a:microsoft:outlook:*:*:*:*:*:iphone_os:*:* |
| microsoft | power_bi | Android | <2.2.260210.21290750 | cpe:2.3:a:microsoft:power_bi:*:*:*:*:*:android:*:* |
| microsoft | power_bi | iOS | — | cpe:2.3:a:microsoft:power_bi:-:*:*:*:*:iphone_os:*:* |
| microsoft | powerpoint | iOS | <2.106.2 | cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:iphone_os:*:* |
| microsoft | powerpoint | Android | <16.0.19822.20038 | cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:android:*:* |
| microsoft | teams | Android | <1.0.0.2026043102 | cpe:2.3:a:microsoft:teams:*:*:*:*:*:android:*:* |
| microsoft | teams | iOS | <8.3.1 | cpe:2.3:a:microsoft:teams:*:*:*:*:*:iphone_os:*:* |
| microsoft | word | iOS | <2.106.2 | cpe:2.3:a:microsoft:word:*:*:*:*:*:iphone_os:*:* |
| microsoft | word | Android | <16.0.19822.20038 | cpe:2.3:a:microsoft:word:*:*:*:*:*:android:*:* |