{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33819", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-03-24T00:52:01.351Z", "datePublished": "2026-04-23T21:35:50.367Z", "dateUpdated": "2026-05-12T17:37:48.367Z"}, "containers": {"cna": {"title": "Microsoft Bing Remote Code Execution Vulnerability", "datePublic": "2026-04-23T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:bing:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Bing", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-502: Deserialization of Untrusted Data", "lang": "en-US", "type": "CWE", "cweId": "CWE-502"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:37:48.367Z"}, "references": [{"name": "Microsoft Bing Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33819"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T03:55:50.152Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33819", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T14:52:36.484090Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T14:55:14.293Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Bing Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 10, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Bing", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-04-23T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819", "name": "Microsoft Bing Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:bing:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T16:04:47.781Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33819", "state": "PUBLISHED", "dateUpdated": "2026-05-11T16:04:47.781Z", "dateReserved": "2026-03-24T00:52:01.351Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-04-23T21:35:50.367Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:bing:-:*:*:*:*:*:*:*", "matchCriteriaId": "622F4499-3149-4D84-8A29-332A7F498209", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network."}], "id": "CVE-2026-33819", "lastModified": "2026-05-05T14:15:20.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-23T22:16:37.817", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Microsoft Bing", "source": "cna", "vendor": "Microsoft"}, "product": "bing", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-28T07:23:19.922431+00:00", "value": {"mitigation_remediation": ["Apply the latest Microsoft Bing security update released by Microsoft", "Ensure that only trusted sources send data to Bing by enforcing strict input validation and access controls", "Isolate Bing services on a separate network segment and enforce least\u2011privilege access for all connected components"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Any deployment of Microsoft Bing. No specific version numbers are listed in the advisory, so all current and future releases are likely affected until an update is applied.", "description_and_impact": "Microsoft Bing has a vulnerability that allows an attacker to deserialize untrusted data and execute arbitrary code. The flaw is a classic deserialization weakness (CWE\u2011502) that can give an unauthorized user the ability to run malicious code via the network, potentially giving them full control over the affected system.", "risk_and_exploitability": "The CVSS score of 10 highlights the maximum severity of the issue. The EPSS score is below 1\u202f%, indicating a very low probability of exploitation in the wild at the time of this analysis, and the vulnerability is not yet in the CISA KEV catalog. The attack can be performed remotely over a network by sending specially crafted data to the Bing service, assuming the attacker can reach the target. Because the flaw is a deserialization bug, any data payload that can be crafted by the attacker and delivered to the service may trigger the vulnerability."}}}}, "created": "2026-04-27T22:15:14.795414+00:00", "updated": "2026-04-28T07:30:26.329173+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$bing"]}