
Summaries like this, in your inbox every morning.
Sign up free →Microsoft assigned CVE-2026-21520 (CVSS 7.5) to an indirect prompt injection flaw in Copilot Studio discovered by Capsule Security, with the patch deployed January 15, 2026.
The CVE assignment is unusual because it marks the first time Microsoft has formally recognized a prompt injection vulnerability in an agentic platform—previously only assigning CVE-2025-32711 to M365 Copilot's EchoLeak.
Prompt injection vulnerabilities in agent-building platforms represent a new vulnerability class that enterprises cannot fully eliminate through patches alone, raising ongoing security concerns.
Capsule Security also discovered PipeLeak, a parallel indirect prompt injection vulnerability affecting Salesforce Agentforce, suggesting the issue extends beyond Microsoft's ecosystem.
No comments yet. Be the first to share your thoughts!
Log in to join the discussion



Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.
Get Started FreeFree · takes 30 seconds · unsubscribe anytime
1 minute a day. The AI essentials.
200+ sources · Email / LINE / Slack