Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-system commands against the platform, with a maximum CVSS score of 10.0 reflecting changed scope and full confidentiality, integrity, and availability impact. The flaw stems from improper neutralization of special elements in command construction (CWE-77), and while no public exploit has been identified at time of analysis, Microsoft has released a patch via MSRC. Given Power Pages is a multi-tenant SaaS offering, a successful exploit could pivot beyond the initial site boundary.
Technical ContextAI
Microsoft Power Pages (formerly Power Apps Portals) is a low-code SaaS platform within the Power Platform family for building externally-facing business websites backed by Dataverse. The CPE cpe:2.3:a:microsoft:microsoft_power_pages:*:*:*:*:*:*:*:* indicates all versions of the service are in scope prior to the Microsoft-side fix. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), meaning user-controlled input is concatenated into a command interpreter or shell invocation without adequate escaping or allow-listing, enabling attacker-controlled command syntax to be parsed and executed by the underlying system.
RemediationAI
Apply the vendor-released patch tracked under MSRC advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23652; because Power Pages is a Microsoft-operated SaaS, much of the remediation is expected to be applied service-side by Microsoft, but administrators should review the advisory for any tenant-side actions such as updating portal solutions, refreshing site versions, or rotating credentials and secrets that may have been exposed. Until confirmation that all environments have been updated, compensating controls include restricting public-facing portal endpoints behind WAF/IP allow-listing with rules to block shell metacharacters in query and form parameters (with the trade-off of false positives on legitimate special characters), disabling or scoping down high-privilege custom Power Pages components and Liquid templates that invoke server-side actions, and increasing monitoring on Dataverse audit logs and Power Platform admin center activity for anomalous administrative operations. Avoid exposing non-essential portals to the internet during the remediation window.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31508
GHSA-j3gf-wx64-3r7p