// Microsoft 365MEDIUM
Microsoft disclosed CVE-2026-45497, a remote code execution vulnerability (CVSS 7.7) in Microsoft 365 Copilot caused by command injection that could allow scope escalation within the Microsoft 365 environment. Microsoft fixed the vulnerability server-side on June 4, 2026, before public disclosure as part of its Early Security Updates. No customer patching is required; however, organizations should review identity and access logs for suspicious activity.
// Get alerts for Microsoft 365