Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-41090— Microsoft Copilot Tampering Vulnerability

CVSS 9.3 · Critical EPSS 0.05% · P15

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 1

VendorProductVersion RangeStatus
MicrosoftMicrosoft 365 Copilot for iOS-affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-41090

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Microsoft Copilot Tampering Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Microsoft 365 Copilot 命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Microsoft 365 Copilot是美国微软(Microsoft)公司的一个集成于办公套件中的生成式AI协作助手。 Microsoft 365 Copilot存在命令注入漏洞,该漏洞源于命令注入中特殊元素的中和不当,可能导致未经授权的攻击者通过网络进行篡改。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
MicrosoftMicrosoft 365 Copilot for iOS - -

II. Public POCs for CVE-2026-41090

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-41090

登录查看更多情报信息。

Vendor Advisories for CVE-2026-41090 (1)

Same Patch Batch · Microsoft · 2026-05-22 · 13 CVEs total

CVE-2026-4290110.0 CRITICALMicrosoft Entra ID Elevation of Privilege Vulnerability
CVE-2026-4110410.0 CRITICALMicrosoft Planetary Computer Pro Information Disclosure Vulnerability
CVE-2026-4728010.0 CRITICALAzure Resource Manager Elevation of Privilege Vulnerability
CVE-2026-2365210.0 CRITICALMicrosoft Power Pages Remote Code Execution Vulnerability
CVE-2026-4041210.0 CRITICALAzure Orbital Spatio Remote Code Execution Vulnerability
CVE-2026-404119.9 CRITICALAzure Virtual Network Gateway Remote Code Execution Vulnerability
CVE-2026-338439.1 CRITICALMicrosoft Azure Active Directory B2C Elevation of Privilege Vulnerability
CVE-2026-456598.8 HIGHMicrosoft SharePoint Remote Code Execution Vulnerability
CVE-2026-354308.8 HIGHAzure Privileged Identity Management (PIM) Elevation of Privilege Vulnerability
CVE-2026-261477.7 HIGHAzure Stack HCI Information Disclosure Vulnerability
CVE-2026-236637.5 HIGHMicrosoft Global Secure Access (GSA) Information Disclosure Vulnerability
CVE-2026-428276.5 MEDIUMM365 Copilot Information Disclosure Vulnerability

IV. Related Vulnerabilities

Same vendor: Microsoft
Same weakness: CWE-77

V. Comments for CVE-2026-41090

No comments yet

Leave a comment