Critical severityNVD Advisory· Published May 12, 2026· Updated May 21, 2026

Microsoft Power Pages Remote Code Execution Vulnerability

CVE-2026-23652

Description

Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.

Affected products

Microsoft/Power Pagesllm-create

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000