wid-sec-w-2026-0795 · Published 2026-03-19 · View on BSI CERT-Bund ↗

Microsoft 365 Copilot: Multiple Vulnerabilities

CVSS 9.9 CRITICAL

Risk Summary

Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to disclose information over a network. Server-side request forgery (ssrf) in Microsoft Exchange allows an authorized attacker to elevate privileges over a network.

CVEs (3)

CVE-2026-24299 CVE-2026-26136 CVE-2026-26137

Affected Vendors

Microsoft

Affected Products (1)

Microsoft · 365 Copilot BizChat

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more