VYPR
Critical severity9.0NVD Advisory· Published Apr 14, 2026· Updated May 7, 2026

CVE-2026-26149

CVE-2026-26149

Description

Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network.

Affected products

2
  • cpe:2.3:a:microsoft:power_apps:*:*:*:*:*:windows:*:*+ 1 more
    • cpe:2.3:a:microsoft:power_apps:*:*:*:*:*:windows:*:*range: <3.26032.10.0
    • (no CPE)

Patches

Vulnerability mechanics

References

1

News mentions

1