CVE-2026-24307 — Vulnetix

CVE-2026-24307 PUBLISHED CVSS 9.300000190734863 CRITICAL

Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network.

EPSS 0.19% · 41.2th percentile

Risk Scores

CVSS v3.1

9.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C

EPSS Score

0.19%

41.2th percentile

Affected Products

Vendor	Product	Versions
microsoft	365_copilot	-, -
Microsoft	Microsoft 365 Copilot	-, -

Timeline

Jan 13, 2026 CVE Published
Jan 22, 2026 CVE Updated
Jan 22, 2026 PoC Published
Jan 23, 2026 EPSS Score
Jan 23, 2026 PoC Published
Jan 26, 2026 EPSS Score
Jan 28, 2026 EPSS Score
Jan 31, 2026 EPSS Score
Feb 2, 2026 EPSS Score
Feb 5, 2026 EPSS Score
Feb 8, 2026 EPSS Score
Feb 10, 2026 EPSS Score

References

M365 Copilot Information Disclosure Vulnerability vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-24307 advisory

Open in Interactive Console →

$ Console Community · 100/wk Open console ›