Microsoft Security Response Center Blog Alerts

CVE-2026-24307 M365 Copilot Information Disclosure Vulnerability

Published January 23, 2026

Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network.

CVE-2026-21227 Azure Logic Apps Elevation of Privilege Vulnerability

Published January 23, 2026

Improper limitation of a pathname to a restricted directory (‘path traversal’) in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network.

CVE-2026-21521 Word Copilot Information Disclosure Vulnerability

Published January 23, 2026

Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network.

CVE-2026-20848 Windows SMB Server Elevation of Privilege Vulnerability

Published January 21, 2026

Updated the build numbers. This is an informational update only.

CVE-2026-21221 Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability

Published January 21, 2026

Updated the build numbers. This is an informational update only.

CVE-2026-20830 Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability

Published January 21, 2026

Updated the build numbers. This is an informational update only.

CVE-2026-20943 Microsoft Office Click-To-Run Remote Code Execution Vulnerability

Published January 21, 2026

Updated FAQ information. This is an informational change only.

CVE-2026-20818 Windows Kernel Information Disclosure Vulnerability

Published January 21, 2026

Updated the build numbers. This is an informational update only.

Chromium: CVE-2026-0901 Inappropriate implementation in Blink

Published January 16, 2026

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2024 ) for more information.