Swipe to see the full story...
Microsoft assigned CVE-2026-21520, a CVSS 7.5 indirect prompt injection vulnerability, to Copilot Studio..
Capsule Security discovered the flaw, coordinated disclosure with Microsoft, and the patch was deployed on January 15..
Public disclosure went live on Wednesday.That CVE matters less for what it fixes and more for what it signals..
Capsule’s research calls Microsoft’s decision to assign a CVE to a prompt injection vulnerability in an agentic platform “highly unusual.” Microsoft previously assigned CVE-2025-32711 (CVSS 9.3) to EchoLeak, a prompt injection in M365 Copilot patched in June 2025, but that targeted a productivity assistant, not an agent-building platform..
Detailed coverage and expert insights available on our main news hub.
Read Full Article