Description
Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.
Published: 2026-05-22
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw (CWE‑77) caused by improper neutralization of special elements used in a system command. An attacker who can send network traffic to a vulnerable Microsoft Power Pages instance can cause arbitrary commands to run, resulting in full remote code execution and compromising confidentiality, integrity and availability of the affected system.

Affected Systems

Microsoft Power Pages deployments are affected. The advisory does not specify particular versions; the vulnerability may apply to any current installation of the product. Administrators should verify whether their environment is using a version that is patched by the latest security update.

Risk and Exploitability

The CVSS score of 10 indicates critical severity. The EPSS score is unavailable, so the frequency of exploitation in the wild is unknown. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw remotely over the network, indicating that a publicly accessible instance presents a high potential for exploitation if unpatched.

Generated by OpenCVE AI on May 23, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Power Pages security update that mitigates CVE-2026-23652.
  • Limit network connectivity to the Power Pages instance by configuring firewall rules or VPN to allow traffic only from trusted hosts.
  • Monitor Power Pages logs for signs of unexpected command execution or anomalous activity and review configurations to enforce input validation where feasible.

Generated by OpenCVE AI on May 23, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.
Title Microsoft Power Pages Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft power Pages
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:power_pages:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft power Pages
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Power Pages
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-22T22:03:05.215Z

Reserved: 2026-01-14T16:59:33.462Z

Link: CVE-2026-23652

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T00:30:05Z

Weaknesses