// Microsoft 365CRITICAL
Varonis disclosed SearchLeak (CVE-2026-42824), a three-stage vulnerability chain in Microsoft 365 Copilot Enterprise combining parameter-to-prompt injection, HTML rendering race conditions, and CSP bypass via Bing SSRF. The flaw enables one-click exfiltration of emails, MFA codes, calendar items, SharePoint and OneDrive files. Microsoft assigned critical severity and patched the issue.
// Get alerts for Microsoft 365