Microsoft PowerShell Vulnerability Allows RCE via Help File Directory Traversal
A directory traversal vulnerability in Microsoft PowerShell, tracked as CVE-2026-40400, allows remote code execution with user interaction.

Zero Day Initiative (ZDI) has disclosed a critical remote code execution vulnerability affecting Microsoft PowerShell, identified as ZDI-26-414 and assigned CVE-2026-40400. This flaw, which carries a CVSS score of 7.8, enables attackers to execute arbitrary code on vulnerable systems, though it requires user interaction for exploitation.
The vulnerability stems from an improper validation of user-supplied paths within the parsing of PowerShell module help files. Attackers can exploit this weakness by crafting malicious help files that, when processed by PowerShell, allow them to traverse directories and potentially overwrite or execute arbitrary code in the context of the logged-in user. This could lead to a full system compromise if the user has elevated privileges.
Exploitation typically involves tricking a user into visiting a malicious webpage that triggers the PowerShell processing or by opening a specially crafted file that contains the malicious help content. The need for user interaction means that social engineering tactics or the delivery of malicious files are key components of any potential attack chain.
Microsoft has acknowledged the vulnerability and released security updates to address it. Users are strongly advised to apply the patches provided by Microsoft to mitigate the risk of exploitation. Further details on the update can be found on Microsoft's Security Update Guide.
The disclosure timeline indicates that the vulnerability was initially reported to Microsoft on May 28, 2026. Following coordinated public disclosure efforts, ZDI released its advisory on July 15, 2026, the same day Microsoft's advisory was updated to include details on the fix.
This vulnerability was discovered by Richard Chen of TrendAI Research, who has been credited for their work in identifying and reporting this security flaw. The discovery highlights the ongoing need for vigilance in securing software components, even those as fundamental as help file parsing mechanisms.
While the vulnerability requires user interaction, its presence in a widely used tool like PowerShell makes it a significant concern. Organizations should ensure their PowerShell environments are up-to-date and that users are educated about the risks of opening untrusted files or visiting suspicious websites.
The successful exploitation of this directory traversal flaw could have severe consequences, ranging from unauthorized data access to complete system takeover, underscoring the importance of timely patching and robust security practices.