{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32194", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-03-11T00:26:53.427Z", "datePublished": "2026-03-19T21:21:22.762Z", "dateUpdated": "2026-04-14T16:36:33.188Z"}, "containers": {"cna": {"title": "Microsoft Bing Images Remote Code Execution Vulnerability", "datePublic": "2026-03-19T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:bing_images:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Bing Images", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en-US", "type": "CWE", "cweId": "CWE-77"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:33.188Z"}, "references": [{"name": "Microsoft Bing Images Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32194"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-32194"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T04:01:47.064Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32194", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T20:17:10.132299Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:17:16.304Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Bing Images Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Bing Images", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-03-19T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32194", "name": "Microsoft Bing Images Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:bing_images:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:33.188Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32194", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:36:33.188Z", "dateReserved": "2026-03-11T00:26:53.427Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-19T21:21:22.762Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:bing_images:-:*:*:*:*:*:*:*", "matchCriteriaId": "5B3D4053-7DAF-4AB9-86E8-33D45C8EF86B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network."}, {"lang": "es", "value": "Neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando ('inyecci\u00f3n de comandos') en Microsoft Bing Images permite a un atacante no autorizado ejecutar c\u00f3digo a trav\u00e9s de una red."}], "id": "CVE-2026-32194", "lastModified": "2026-04-14T16:35:28.323", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-19T22:16:41.130", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32194"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "bing_images", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-14T17:29:12.180113+00:00", "value": {"mitigation_remediation": ["Apply the Microsoft security update for Bing Images referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32194", "Verify that the patched version is running on all affected systems", "If immediate patching is not feasible, restrict network access to the Bing Images service using firewall rules or disable the feature entirely", "Monitor inbound traffic for suspicious request patterns that may indicate attempts to exploit command injection"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Microsoft Bing Images is the affected product. No specific version information is disclosed. Administrators should verify which instances of Bing Images are deployed and identify the exact version to determine whether they are exposed.", "description_and_impact": "Microsoft Bing Images has a flaw where special elements used in command construction are not properly neutralized, allowing attackers to inject arbitrary commands. The vulnerability enables execution of code on the target system, potentially compromising application integrity, confidentiality, and availability. Since the issue is a classic command injection, a successful attack could grant an attacker full control over the affected service or the underlying host.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity, while the EPSS score of less than 1% suggests that public exploitation is currently limited and the vulnerability is not in the CISA KEV catalog. The likely attack vector is network-based, where an unauthenticated attacker sends crafted requests to the Bing Images service to trigger the command injection. Because arbitrary commands can be executed, the risk to the system and data is significant if the exploit succeeds."}}}}, "created": "2026-03-20T08:55:36.278060+00:00", "updated": "2026-04-15T16:45:09.826851+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$bing_images"]}