CVE-2026-42824
MEDIUM · 6.5 EPSS 0.5%Working attack chain described by researchers; Microsoft mitigated; not KEV-listed yet; PoC not independently verified.
What: Command injection in Microsoft 365 Copilot allowing unauthorized information disclosure via crafted URLs; CVSS 6.5 (Medium).
Why it matters: Posts describe a working one-click exfiltration chain (prompt injection + SSRF) exposing emails, MFA codes, and files. Microsoft deployed server-side mitigation. Not KEV-listed and no independent PoC confirmation visible, but researcher disclosures cite technical exploitation mechanics and real-world impact.
Where it's seen: Named "SearchLeak" across Bluesky and X; researcher breakdowns detailing injection chains; vendor acknowledgment of mitigation; threat intel aggregation citing the vulnerability as patched.
RISK: MODERATE — Server-side fix deployed; Medium CVSS; information disclosure only, no code execution.
Description
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- Required
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- None
- Availability
- None