InfoSecBulletin Cybersecurity for mankind
Microsoft fixed 3 critical security issues in Microsoft 365 Copilot and Copilot Chat in Microsoft Edge. These were released on May 7, 2026, and users or admins don’t need to do anything.
Microsoft’s Security Response Center shared updates on CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 to show their ongoing promise of openness in their cloud services.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Microsoft has fixed all three issues completely, following its cloud CVE transparency plan in the “Toward Greater Transparency: Unveiling Cloud Service CVEs” program.
Microsoft 365 Copilot Vulnerabilities
CVE-2026-26129 impacts Microsoft 365 Copilot’s Business Chat. The problem comes from not properly handling special characters in the output, which could let an attacker reveal sensitive information on a network.
CVE-2026-26164 affects M365 Copilot and falls under CWE-74 (Bad Handling of Special Elements in Output Used by Another Part — Injection).
The attack comes from the network, does not need special access or user actions, and has a big effect on confidentiality. The chance of it being exploited is rated as “Exploitation Less Likely,” and the readiness of the exploit code is marked as untested.
CVE-2026-33111 impacts Copilot Chat in Microsoft Edge and is categorized as CWE-77 (Improper Control of Special Elements in a Command — Command Injection).
It has the same CVSS score of 7.5 / 6.5 (temporal) as CVE-2026-26164. It also has the same attack type: it can be accessed through a network, does not need special permissions, does not require user actions, and has a big impact on confidentiality.
Microsoft thanked Estevam Arantes of Microsoft for finding both CVE-2026-26129 and CVE-2026-26164. They also gave credit to independent researcher 0xSombra for CVE-2026-26164.
Microsoft has put fixes in place at the service level. Companies do not have to install updates or change settings.
Security teams should check Copilot’s data access permissions and apply least-privilege rules to lower the risk of similar problems in the future.
