CVE-2026-21520 Copilot Studio Information Disclosure Vulnerability

...

CVE-2026-21520

CVE-2026-21520 is a Copilot Studio information disclosure vulnerability with a network attack vector, allowing an unauthenticated attacker to view sensitive information. The NVD/MSRC entry attributes a CVSS v3.1 base score of 7.5 (HIGH) and confirms network access with no privileges. Red Hat and ...

M365 Copilot Information Disclosure Vulnerability

Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network...

Word Copilot Information Disclosure Vulnerability

Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network...

Copilot Studio Information Disclosure Vulnerability

Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector...

PT-2026-4308

Name of the Vulnerable Software and Affected Versions Copilot affected versions not specified Description An issue exists in Copilot where improper neutralization of escape, meta, or control sequences can allow an unauthorized attacker to disclose information over a network. The issue involves th...

Microsoft 365 Word Copilot security vulnerabilities

Microsoft 365 Word Copilot is an AI assistant developed by the American company Microsoft. There is a security vulnerability in Microsoft 365 Word Copilot, which stems from improper handling of escaped sequences, meta-sequences, or control sequences. Attackers can exploit this vulnerability to le...

Microsoft M365 Copilot security vulnerabilities

Microsoft M365 Copilot is an AI-driven productivity tool developed by Microsoft Corporation. There is a security vulnerability in Microsoft M365 Copilot, which stems from improper validation of certain types of inputs. Attackers can exploit this vulnerability to leak information over the network...

Microsoft Copilot Studio command injection vulnerability

Microsoft Copilot Studio is an artificial intelligence chatbot developed by Microsoft Corporation. Microsoft Copilot Studio has a command injection vulnerability, which stems from improper neutralization of certain elements. Attackers can exploit this vulnerability to access sensitive information...

PT-2026-4307

Name of the Vulnerable Software and Affected Versions Copilot Studio affected versions not specified Description An unauthenticated attacker can view sensitive information through a network attack vector. The issue involves the exposure of sensitive information to an unauthorized actor...

PT-2026-4313

Name of the Vulnerable Software and Affected Versions M365 Copilot affected versions not specified Description An improper validation of a specified input type in M365 Copilot can allow an unauthorized attacker to disclose information over a network. Recommendations At the moment, there is no...

A week in security (January 12 – January 18)

Last week on Malwarebytes Labs: WhisperPair exposes Bluetooth earbuds and headphones to tracking and eavesdropping Dutch police sell fake tickets to show how easily scams work "Reprompt" attack lets attackers steal data from Microsoft Copilot Phishing scammers are posting fake "account restricted...

Researchers Reveal Reprompt Attack Allowing Single-Click Data Exfiltration From Microsoft Copilot

Cybersecurity researchers have disclosed details of a new attack method dubbed Reprompt that could allow bad actors to exfiltrate sensitive data from artificial intelligence AI chatbots like Microsoft Copilot in a single click, while bypassing enterprise security controls entirely. "Only a single...

“Reprompt” attack lets attackers steal data from Microsoft Copilot

Researchers found a method to steal data which bypasses Microsoft Copilot's built-in safety mechanisms. The attack flow, called Reprompt , abuses how Microsoft Copilot handled URL parameters in order to hijack a user’s existing Copilot Personal session. Copilot is an AI assistant which connects t...

CVE-2025-62116

Missing Authorization vulnerability in quadlayers AI Copilot ai-copilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Copilot: from n/a through = 1.5.5...

CVE-2025-62116

Missing Authorization vulnerability in quadlayers AI Copilot ai-copilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Copilot: from n/a through = 1.5.2...

CVE-2025-62116 WordPress AI Copilot plugin <= 1.4.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Quadlayers AI Copilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Copilot: from n/a through 1.4.7...

EUVD-2025-205998

Missing Authorization vulnerability in Quadlayers AI Copilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Copilot: from n/a through 1.4.7...

CVE-2025-62116

CVE-2025-62116 is described in the initial document as a Missing Authorization vulnerability in the QuadLayers AI Copilot (WordPress plugin), affecting versions from unknown up to and including 1.4.7. The connected Wordfence document substantively corroborates that AI Copilot is affected by a Mis...

WordPress AI Copilot plugin <= 1.5.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin AI Copilot versions = 1.5.0...