Skip to main content

Microsoft Power Pages CVE-2026-23652

| EUVDEUVD-2026-31508 CRITICAL
Command Injection (CWE-77)
2026-05-22 microsoft GHSA-j3gf-wx64-3r7p
10.0
CVSS 3.1 · NVD
Temporal: 8.7
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CIRCL (temporal)
8.7 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 22:45 vuln.today

DescriptionCVE.org

Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-system commands against the platform, with a maximum CVSS score of 10.0 reflecting changed scope and full confidentiality, integrity, and availability impact. The flaw stems from improper neutralization of special elements in command construction (CWE-77), and while no public exploit has been identified at time of analysis, Microsoft has released a patch via MSRC. Given Power Pages is a multi-tenant SaaS offering, a successful exploit could pivot beyond the initial site boundary.

Technical ContextAI

Microsoft Power Pages (formerly Power Apps Portals) is a low-code SaaS platform within the Power Platform family for building externally-facing business websites backed by Dataverse. The CPE cpe:2.3:a:microsoft:microsoft_power_pages:*:*:*:*:*:*:*:* indicates all versions of the service are in scope prior to the Microsoft-side fix. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), meaning user-controlled input is concatenated into a command interpreter or shell invocation without adequate escaping or allow-listing, enabling attacker-controlled command syntax to be parsed and executed by the underlying system.

RemediationAI

Apply the vendor-released patch tracked under MSRC advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23652; because Power Pages is a Microsoft-operated SaaS, much of the remediation is expected to be applied service-side by Microsoft, but administrators should review the advisory for any tenant-side actions such as updating portal solutions, refreshing site versions, or rotating credentials and secrets that may have been exposed. Until confirmation that all environments have been updated, compensating controls include restricting public-facing portal endpoints behind WAF/IP allow-listing with rules to block shell metacharacters in query and form parameters (with the trade-off of false positives on legitimate special characters), disabling or scoping down high-privilege custom Power Pages components and Liquid templates that invoke server-side actions, and increasing monitoring on Dataverse audit logs and Power Platform admin center activity for anomalous administrative operations. Avoid exposing non-essential portals to the internet during the remediation window.

Share

CVE-2026-23652 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy