Microsoft 365 Copilot Chat — known CVE vulnerabilities
Every CVE whose affected-product data names Microsoft 365 Copilot Chat, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (7)
CVE-2026-26137 — CVSS 9.9 (critical): Server-side request forgery (ssrf) in Microsoft Exchange allows an authorized attacker to elevate privileges over a network.
CVE-2025-59272 — CVSS 9.3 (critical): Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to perform…
CVE-2025-59286 — CVSS 9.3 (critical): Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to disclose…
CVE-2026-26129 — CVSS 7.5 (high): Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to…
CVE-2026-26164 — CVSS 7.5 (high): Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to…