CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-23652

CVSS 10.0v3.1pub. 2026-05-22upd. 2026-05-27

Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.

🤖 AI Analysis
How it works

The flaw lies in improper neutralization of special characters in input data passed to system commands (CWE-77: command injection). An attacker can submit crafted data over the network without needing any privileges or user interaction. The network attack vector (AV:N), no privilege requirements (PR:N), and no user interaction (UI:N) make it possible to conduct the attack fully automatically.

Impact

An attacker can execute arbitrary code on the server hosting Microsoft Power Pages, gaining full control over the confidentiality, integrity, and availability of the system — including potentially resources beyond the direct scope of the vulnerable service (S:C).

Mitigation & patch

Apply patches available from the vendor according to references published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23652. Until the fix is deployed, it is recommended to restrict network access to Microsoft Power Pages instances and monitor traffic for anomalies.

Who is affected

Microsoft Power Pages — versions indicated in the vendor references (Microsoft Security Response Center).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Power Pages

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-24989HIGH8.2⚠ KEVten sam produkt

An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges ...

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty