CVE-2026-42833

Published May 12, 2026

Last updated 16 days ago

CVSS critical 9.1

Overview

Description
Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Source
secure@microsoft.com
NVD status
Analyzed
Products
dynamics_365

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
6
Exploitability score
2.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

secure@microsoft.com
CWE-250
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.CVE-2026-42898
  2. Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.CVE-2026-32210
  3. Improper access control in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to disclose information locally.CVE-2026-33103
  4. Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network.CVE-2025-62211
  5. Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network.CVE-2025-62210

References

Sources include official advisories and independent security research.