CVE-2026-23652

CriticalRCE

Published: 22 May 2026

Published

22 May 2026

Modified

27 May 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0011 28.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23652 is a critical-severity Command Injection (CWE-77) vulnerability in Microsoft Power Pages. Its CVSS base score is 10.0 (Critical).

Operationally, ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-77
OWASP Top 10 Web 2025: A05:2025

Affected Products

microsoft

power pages

all versions

EU & UK References

🇪🇺 ENISA EUVD: EUVD-2026-31508

Regulatory context (EU CRA / NIS2 / DORA / UK NIS Regulations)

EU Cyber Resilience Act — coordinated disclosure

Critical and high-severity vulnerabilities in products with digital elements may trigger coordinated-disclosure obligations under the EU Cyber Resilience Act (CRA, Regulation 2024/2847). Manufacturers placing products on the EU market must notify ENISA and the relevant CSIRTs without undue delay once active exploitation is known.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23652
Vendor Advisory · secure@microsoft.com