CVE-2026-41090

PUBLISHED

Published: 22 May 2026, 22:03

Last modified:22 May 2026, 22:03

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.3 CRITICAL

v3.1 (cve.org)

EPSS Score

0.05% LOW

0% probability

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

22 May 2026, 22:03

Published

Vulnerability first disclosed

Description

Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.

CVSS Metrics

v3.1•CRITICAL•Score: 9.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C

EPSS Trends

Current EPSS score: 0.05%• Percentile: 15%

Techniques & Countermeasures

CWE-77•Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Affected Systems

microsoft•microsoft 365 copilot for ios
-

References (1)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41090