Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
AnalysisAI
A critical OS command injection vulnerability exists in Microsoft Bing Images that allows remote attackers to execute arbitrary commands without authentication. The vulnerability enables complete system compromise with high impact to confidentiality, integrity, and availability. With a CVSS score of 9.8 and requiring no user interaction, this represents a severe risk to any systems running vulnerable versions of Bing Images.
Technical ContextAI
This vulnerability stems from improper neutralization of special elements used in OS commands (CWE-78), a class of injection flaws where user-supplied input is passed to system shell commands without proper sanitization. The affected component is Microsoft Bing Images, though specific CPE identifiers are not provided in the available intelligence. Command injection vulnerabilities occur when applications construct system commands using untrusted input, allowing attackers to inject shell metacharacters or command separators to execute unauthorized commands with the privileges of the vulnerable application.
RemediationAI
Apply security updates from Microsoft as soon as they become available through the Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32191. Until patches can be applied, consider implementing network segmentation to limit access to systems running Bing Images components, deploy web application firewalls with command injection detection rules, and monitor for suspicious command execution patterns. Input validation and output encoding should be enforced at application boundaries as defense-in-depth measures.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13206