CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-41104

CVSS 10.0v3.1pub. 2026-05-22upd. 2026-05-29

Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network.

🤖 AI Analysis
How it works

An attacker sends specially crafted data over the network, which the Microsoft Planetary Computer Pro application deserializes without proper verification of its origin and content. The process of deserializing untrusted data can lead to unintended server-side logic execution. The attack vector is network-based, requires no authentication or any user interaction, and the vulnerability affects components outside the direct scope of the application (Scope: Changed).

Impact

An attacker can gain unauthorized access to sensitive information processed or stored by Microsoft Planetary Computer Pro. High impact on confidentiality, integrity, and availability indicates the possibility of serious compromise of the environment in which the application operates.

Mitigation & patch

Apply patches available from the vendor according to the references — details regarding the patched version are available in the Microsoft Security Response Center at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41104

Who is affected

Microsoft Planetary Computer Pro — versions indicated in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Planetary Computer

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-53770CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserialization w Microsoft SharePoint Server (on-premises)