Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.
The flaw lies in improper neutralization of special characters in input data passed to system commands (CWE-77: command injection). An attacker can submit crafted data over the network without needing any privileges or user interaction. The network attack vector (AV:N), no privilege requirements (PR:N), and no user interaction (UI:N) make it possible to conduct the attack fully automatically.
An attacker can execute arbitrary code on the server hosting Microsoft Power Pages, gaining full control over the confidentiality, integrity, and availability of the system — including potentially resources beyond the direct scope of the vulnerable service (S:C).
Apply patches available from the vendor according to references published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23652. Until the fix is deployed, it is recommended to restrict network access to Microsoft Power Pages instances and monitor traffic for anomalies.
Microsoft Power Pages — versions indicated in the vendor references (Microsoft Security Response Center).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMicrosoft Power Pages
APPMicrosoftwszystkie wersje
Related vulnerabilities
An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges ...
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server
RCE w Windows Server Update Service (WSUS) — deserializacja danych
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty