Description
Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
Published: 2026-03-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an OS Command Injection flaw (CWE-78) where special elements within an OS command are not properly neutralized in Microsoft Bing Images. This defect allows an unauthorized attacker to inject and execute arbitrary OS commands, granting the attacker the ability to run code on the affected system.

Affected Systems

The affected product is Microsoft Bing Images. Version information is not provided, so any installation of Bing Images that has not received the Microsoft security update for CVE‑2026‑32191 is potentially vulnerable.

Risk and Exploitability

The CVSS score is 9.8, indicating critical severity. EPSS score is not available and the vulnerability is not listed in CISA KEV. Based on the description, the attack vector is network‑based and does not require authentication, implying a high likelihood that an attacker could exploit the flaw if the service is exposed to the internet.

Generated by OpenCVE AI on March 19, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and apply the Microsoft security update for Bing Images from the Microsoft Security Response Center.
  • Verify that the update has been deployed by checking the product version or patch baseline.
  • If the update cannot be applied immediately, restrict network access to the Bing Images service so that only trusted hosts may communicate with it.

Generated by OpenCVE AI on March 19, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
Title Microsoft Bing Images Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft bing Images
Weaknesses CWE-78
CPEs cpe:2.3:a:microsoft:bing_images:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft bing Images
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Bing Images
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-09T23:25:57.817Z

Reserved: 2026-03-11T00:26:53.427Z

Link: CVE-2026-32191

cve-icon Vulnrichment

Updated: 2026-03-20T15:17:49.641Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T21:17:10.400

Modified: 2026-03-20T13:39:46.493

Link: CVE-2026-32191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:06:10Z

Weaknesses