CVE-2026-48561 PUBLISHED

Microsoft Copilot Remote Code Execution Vulnerability

Assigner: microsoft
Reserved: 21.05.2026 Published: 14.07.2026 Updated: 15.07.2026

Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to execute code over a network.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
CVSS Score: 9.6

Product Status

Vendor Microsoft
Product Microsoft 365 Copilot for Android
Versions
  • affected from 1.0 to publication (excl.)
Vendor Microsoft
Product Microsoft 365 Copilot for iOS
Versions
  • affected from 1.0 to publication (excl.)

References

Problem Types