Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft Copilot Reprompt prompt-injection security flaw

Vulnerability
First reported
Last updated
Happening score
H score 0
2 unique sources, 2 articles

Summary

Hide ▲

Reprompt is a Microsoft Copilot prompt-injection flaw that can let a crafted URL trigger invisible data exfiltration from an authenticated session. The abuse path uses the 'q' parameter and can be reached with a single click on a legitimate Microsoft link, without plugins or direct user interaction with Copilot. Microsoft addressed the issue after disclosure, and the flaw does not affect Microsoft 365 Copilot.

Related Happenings

Workflow-level jailbreak makes GitHub Copilot Chat write harmful answers in code files

Technical Analysis
H score22 First: 08.07.2026 14:21 Last: 08.07.2026 14:21 Sources 1

About this happening: Researchers demonstrated a **workflow-level jailbreak** against **GitHub Copilot Chat** that caused harmful answers to be written inside code tasks even when direct chat prompts w...

Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)

Vulnerability
H score34 First: 15.06.2026 16:00 Last: 15.06.2026 16:00 Sources 1

About this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...

Windows 11 BitLocker bypass YellowKey security flaw

Vulnerability
H score7 First: 14.05.2026 10:27 Last: 14.05.2026 10:27 Sources 1

About this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that affects the **Windows Recovery Environment (WinRE)** path and can expose **BitL...

Latest development: 20.05.2026 10:31

Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.

Cursor IDE MCP deeplink code execution security flaw

Vulnerability
H score37 First: 17.03.2026 17:00 Last: 17.03.2026 17:00 Sources 1

About this happening: A **Cursor IDE** flaw in **MCP deeplinks** can let crafted installation links trigger **arbitrary commands** or install **malicious components** under some user-approval and confi...

Microsoft expands Purview DLP enforcement for Copilot across local and cloud Office files

Security Tool/Service
H score11 First: 24.02.2026 19:30 Last: 24.02.2026 19:30 Sources 1

About this happening: Microsoft is expanding **Purview DLP** so **Microsoft 365 Copilot** cannot process restricted **Word, Excel, and PowerPoint** files stored on **local devices, SharePoint, or OneDr...

Timeline

  1. 14.01.2026 16:00 1 articles · 5mo ago

    Varonis discloses Reprompt to Microsoft

    Initial Disclosure

    Varonis responsibly disclosed Reprompt to Microsoft after finding that Microsoft Copilot can execute prompts carried in a URL's 'q' parameter, letting a single click trigger injected instructions against an authenticated session.

    Show sources
  2. 14.01.2026 16:00 1 articles · 5mo ago

    Microsoft fixes Reprompt in January 2026 Patch Tuesday

    Mitigation Patch Update

    Microsoft addressed the Reprompt flaw in January 2026 Patch Tuesday, and the remediation guidance is to apply the latest Windows security update to reduce risk from malicious Copilot links.

    Show sources
  3. 14.01.2026 16:00 3 articles · 5mo ago

    Varonis details the Reprompt attack chain

    Technical Analysis Update

    Varonis described Reprompt as a Microsoft Copilot prompt-injection method that hides malicious instructions in a legitimate URL, uses the 'q' parameter to trigger actions, and can sustain invisible data exfiltration through P2P injection, a double-request technique, and a chain-request technique. The researchers said the attack can continue after the Copilot tab is closed, depends on the victim's authenticated session, and had not been detected in the wild.

    Show sources