CVE-2026-32191
Published: 19 March 2026
Description
Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly requires information input validation and error handling to neutralize special elements, preventing the OS command injection vulnerability in Microsoft Bing Images.
SI-2 mandates identification, reporting, and remediation of flaws like CVE-2026-32191, enabling application of patches from the MSRC advisory.
SI-4 provides system monitoring to detect indicators of successful OS command injection exploitation, such as unauthorized code execution or anomalous behavior.
Security SummaryAI
CVE-2026-32191 is an OS command injection vulnerability (CWE-78) in Microsoft Bing Images, caused by improper neutralization of special elements used in an OS command. Published on 2026-03-19, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
An unauthorized attacker can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges, user interaction, or special scoping changes. Exploitation enables arbitrary code execution on the affected component, compromising confidentiality, integrity, and availability to a high degree.
The Microsoft Security Response Center advisory provides details on mitigation and patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32191.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-32191 is a critical remote OS command injection vulnerability in the public-facing Microsoft Bing Images service, enabling arbitrary code execution without authentication or user interaction, directly mapping to exploitation of public-facing applications.