{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21521", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-30T18:10:54.846Z", "datePublished": "2026-01-22T22:47:38.118Z", "dateUpdated": "2026-04-01T13:49:27.034Z"}, "containers": {"cna": {"title": "Word Copilot Information Disclosure Vulnerability", "datePublic": "2026-01-22T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:365_word_copilot:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft 365 Word Copilot", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences", "lang": "en-US", "type": "CWE", "cweId": "CWE-150"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:27.034Z"}, "references": [{"name": "Word Copilot Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21521"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T20:02:03.925450Z", "id": "CVE-2026-21521", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T20:02:15.843Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21521", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T20:02:03.925450Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T20:02:10.801Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Word Copilot Information Disclosure Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft 365 Word Copilot", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-01-22T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21521", "name": "Word Copilot Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-150", "description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:365_word_copilot:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:27.034Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21521", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:49:27.034Z", "dateReserved": "2025-12-30T18:10:54.846Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-01-22T22:47:38.118Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:365_word_copilot:-:*:*:*:*:*:*:*", "matchCriteriaId": "3A538269-3D01-41B4-B8B1-B70D8514D336", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network."}], "id": "CVE-2026-21521", "lastModified": "2026-02-02T13:30:53.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-01-22T23:15:57.823", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21521"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-150"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:36:27.538313+00:00", "value": {"mitigation_remediation": ["Install the latest security update for Microsoft\u00a0365\u00a0Word\u00a0Copilot from Microsoft", "Disable or restrict the Word\u00a0Copilot feature in affected documents until the patch is applied", "Monitor network traffic for unauthorized data transmission and apply additional controls if needed"], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw affects Microsoft\u00a0365\u00a0Word\u00a0Copilot components across all supported platforms; specific version details are not disclosed, so all installations of Word\u00a0Copilot may be impacted.", "description_and_impact": "The vulnerability arises from improper neutralization of escape, meta, or control sequences within Microsoft\u00a0365\u00a0Word\u00a0Copilot. An unauthorized attacker can exploit this flaw to send sensitive data over the network, exposing confidential information. This flaw corresponds to the Access Control Weakness CWE\u2011150, directly impacting the confidentiality of user data.", "risk_and_exploitability": "The issue carries a CVSS score of 7.4, indicating high severity, yet the EPSS score of less than 1% reflects a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, and no known workaround exists. The likely attack vector involves the use of malicious control sequences in a Word document processed by Copilot, enabling an attacker to read or transmit data over the network."}}}}, "created": "2026-04-16T07:45:06.015534+00:00", "updated": "2026-04-16T07:45:06.015547+00:00", "vendors": []}