Command Injection Vulnerability in Microsoft Copilot
CVE-2026-41090

9.3CRITICAL

Key Information:

Vendor: Microsoft
Status: Microsoft 365 Copilot For iOS
Vendor: CVE Published:; 22 May 2026

What is CVE-2026-41090?

A vulnerability in Microsoft Copilot enables an attacker to exploit improper handling of command inputs, potentially allowing unauthorized network tampering. This could result in the exposure or modification of sensitive data. Users are advised to apply the latest security patches to mitigate this risk.

Affected Version(s)

Microsoft 365 Copilot for iOS -

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41090 Data

JSON