Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
The vulnerability is caused by improper control of code generation (CWE-94 β Improper Control of Generation of Code). An attacker with an account in the system can submit specially crafted data over the network, which is then interpreted and executed as code by the application. The network attack vector with low complexity and no required user interaction significantly lowers the threshold for exploiting the vulnerability. The attack scope extends beyond the vulnerable component, meaning the ability to impact resources outside the direct Dynamics 365 environment.
An attacker can gain full control of the system through remote code execution, leading to violation of confidentiality, integrity, and availability of data and infrastructure.
Apply patches available from the vendor according to references published in Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42898
Microsoft Dynamics 365 (on-premises) β specific versions indicated in vendor references (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42898)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMicrosoft Dynamics 365
APPMicrosoft9.1.1.914 β 9.1.45.11 (bez)
Related vulnerabilities
Improper access control in Microsoft Dynamics 365 allows an authorized attacker to elevate privileges over a n...
Code injection w Microsoft Dynamics 365 On-Premises β zdalne wykonanie kodu
SSRF w Microsoft Dynamics 365 umoΕΌliwia spoofing sieciowy
SΕabe uwierzytelnianie w Microsoft Dynamics 365 umoΕΌliwia privilege escalation
Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Ser...