Skip to main content

Microsoft CVE-2026-32194

| EUVDEUVD-2026-13207 CRITICAL
Command Injection (CWE-77)
2026-03-19 microsoft
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 19, 2026 - 22:00 euvd
EUVD-2026-13207
Analysis Generated
Mar 19, 2026 - 22:00 vuln.today
Patch released
Mar 19, 2026 - 22:00 nvd
Patch available
CVE Published
Mar 19, 2026 - 21:21 nvd
CRITICAL 9.8

DescriptionCVE.org

Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.

AnalysisAI

A critical command injection vulnerability exists in Microsoft Bing Images that allows unauthenticated remote attackers to execute arbitrary commands on affected systems. The vulnerability stems from improper neutralization of special characters in user-supplied input, enabling attackers to inject and execute system commands without any user interaction or authentication. With a CVSS score of 9.8 and requiring no special privileges or user interaction, this represents a severe risk to any exposed Bing Images deployments.

Technical ContextAI

The vulnerability affects Microsoft Bing Images (CPE: cpe:2.3:a:microsoft:microsoft_bing_images:*:*:*:*:*:*:*:*) and is classified as CWE-77, which indicates improper neutralization of special elements used in a command. This type of vulnerability occurs when an application constructs system commands using externally-supplied input without properly sanitizing special characters like semicolons, pipes, or backticks that can be used to chain or inject additional commands. The affected versions according to EUVD data span all Microsoft Bing Images versions up to and including the current release, suggesting this is a fundamental flaw in how the application processes certain types of input data.

RemediationAI

Microsoft has released a patch for this vulnerability which should be applied immediately given the critical severity and ease of exploitation. Organizations should update Microsoft Bing Images to the latest patched version available through the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32194. Until patching is complete, consider implementing network segmentation to limit exposure of Bing Images services, deploy web application firewalls with command injection detection rules, and monitor for suspicious command execution patterns in application logs.

Share

CVE-2026-32194 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy