Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
AnalysisAI
A critical command injection vulnerability exists in Microsoft Bing Images that allows unauthenticated remote attackers to execute arbitrary commands on affected systems. The vulnerability stems from improper neutralization of special characters in user-supplied input, enabling attackers to inject and execute system commands without any user interaction or authentication. With a CVSS score of 9.8 and requiring no special privileges or user interaction, this represents a severe risk to any exposed Bing Images deployments.
Technical ContextAI
The vulnerability affects Microsoft Bing Images (CPE: cpe:2.3:a:microsoft:microsoft_bing_images:*:*:*:*:*:*:*:*) and is classified as CWE-77, which indicates improper neutralization of special elements used in a command. This type of vulnerability occurs when an application constructs system commands using externally-supplied input without properly sanitizing special characters like semicolons, pipes, or backticks that can be used to chain or inject additional commands. The affected versions according to EUVD data span all Microsoft Bing Images versions up to and including the current release, suggesting this is a fundamental flaw in how the application processes certain types of input data.
RemediationAI
Microsoft has released a patch for this vulnerability which should be applied immediately given the critical severity and ease of exploitation. Organizations should update Microsoft Bing Images to the latest patched version available through the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32194. Until patching is complete, consider implementing network segmentation to limit exposure of Bing Images services, deploy web application firewalls with command injection detection rules, and monitor for suspicious command execution patterns in application logs.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13207