Description
Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.
Published: 2026-05-12
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a code injection flaw (CWE‑94) that allows an unauthenticated attacker to cause Microsoft Data Formulator to generate and execute arbitrary code. This results in remote code execution on the affected host, compromising confidentiality, integrity, and availability.

Affected Systems

Microsoft Data Formulator is affected. No specific product versions are listed in the advisory, so the risk applies to all installed instances until a vendor update is released.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score is not available, but the absence from the CISA KEV catalog suggests no documented exploitation yet. The attack vector is inferred to be remote over the network, requiring the attacker to transmit malicious input to the Data Formulator service. If exploited, the attacker could run arbitrary code with the privileges of the application process.

Generated by OpenCVE AI on May 12, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available software update or patch released by Microsoft for Data Formulator that addresses the code injection issue
  • Restrict access to the Data Formulator service by implementing network segmentation or firewall rules, limiting connections to trusted hosts
  • Continuously monitor system logs for abnormal code execution attempts or changes in file integrity
  • Validate and sanitize all user-supplied inputs to the Data Formulator, ensuring strict input validation as guided by CWE‑94 remediation practices

Generated by OpenCVE AI on May 12, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft data Formulator
Vendors & Products Microsoft data Formulator

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.
Title Microsoft Data Formulator Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft data Formulator
Weaknesses CWE-94
CPEs cpe:2.3:a:microsoft:data_Formulator:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft data Formulator
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Data Formulator Data Formulator
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:56:48.743Z

Reserved: 2026-04-16T19:12:36.195Z

Link: CVE-2026-41094

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:20.890

Modified: 2026-05-12T18:17:20.890

Link: CVE-2026-41094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:00:10Z

Weaknesses