CVE-2026-42893: Microsoft Outlook for iOS Tampering Vulnerability

Overview

Severity

High (CVSS 7.4)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C

Category

Tampering

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-May

Released

2026-05-12

Description

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network.

Affected Products (1)

Microsoft Office

• Microsoft Outlook for iOS

Security Updates (1)

• Security Update

Acknowledgments

Ofek Levin with <a href="https://enclave.ai/">Enclave</a>

Revision History

• 2026-05-12: Information published.