CRITICALβœ“ PATCHπŸ‡΅πŸ‡± Wersja polska

CVE-2026-42898

CVSS 9.9v3.1pub. 2026-05-12upd. 2026-05-14

Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

πŸ€– AI Analysis
How it works

The vulnerability is caused by improper control of code generation (CWE-94 β€” Improper Control of Generation of Code). An attacker with an account in the system can submit specially crafted data over the network, which is then interpreted and executed as code by the application. The network attack vector with low complexity and no required user interaction significantly lowers the threshold for exploiting the vulnerability. The attack scope extends beyond the vulnerable component, meaning the ability to impact resources outside the direct Dynamics 365 environment.

Impact

An attacker can gain full control of the system through remote code execution, leading to violation of confidentiality, integrity, and availability of data and infrastructure.

Mitigation & patch

Apply patches available from the vendor according to references published in Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42898

Who is affected

Microsoft Dynamics 365 (on-premises) β€” specific versions indicated in vendor references (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42898)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Dynamics 365

    APP
    Microsoft
    9.1.1.914 – 9.1.45.11 (bez)
🟒
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-47647CRITICAL9.9ten sam produkt

Improper access control in Microsoft Dynamics 365 allows an authorized attacker to elevate privileges over a n...

CVE-2026-42833CRITICAL9.1PL βœ“ten sam produkt

Code injection w Microsoft Dynamics 365 On-Premises β€” zdalne wykonanie kodu

CVE-2026-32210CRITICAL9.3PL βœ“ten sam produkt

SSRF w Microsoft Dynamics 365 umoΕΌliwia spoofing sieciowy

CVE-2024-38182CRITICAL9.0PL βœ“ten sam produkt

SΕ‚abe uwierzytelnianie w Microsoft Dynamics 365 umoΕΌliwia privilege escalation

CVE-2025-62210HIGH8.7ten sam produkt

Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Ser...

CVE-2026-42898 β€” Microsoft β€” Dynamics 365 β€” CRITICAL β€” CVSS 9.9 | CVEbaza.pl