CVE-2026-42893

Daily digests

A command injection bug in M365 Copilot lets an unauthenticated attacker tamper with Copilot responses or actions over the network. The CVSS is 7.4 with a tampering impact, meaning an attacker could manipulate what Copilot returns to users. This is a cloud-side issue, so the fix is on Microsoft's end, but you should verify your tenant is current.

• Patch Tuesday · May 13, 2026

  Patch Tuesday May 2026: DNS + Netlogon at 9.8, 19 more