CVE-2026-42898EXPLOITEDPATCHED

Microsoft · Microsoft Dynamics 365 (on-premises) version 9.1

Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

Description

Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

Affected Products

Vendor	Product	Versions
Microsoft	Microsoft Dynamics 365 (on-premises) version 9.1	9.0

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42898(vendor-advisory, patch)

Related News (4 articles)

Tier C

Cisco Talos3h ago

Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities

→ No new info (linked only)

Tier C

Qualys Blog3h ago

Microsoft and Adobe Patch Tuesday, May 2026 Security Update Review

→ No new info (linked only)

Tier C

VulDB5h ago

CVE-2026-42898 | Microsoft Dynamics 365 On-Premises 8.2/9.0 code injection

→ No new info (linked only)

Tier A

Microsoft MSRC9h ago

CVE-2026-42898 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

→ No new info (linked only)

CVSS 3.19.9 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

9.1.44.15

CWECWE-94

PublishedMay 12, 2026

Last enriched4h agov3

Trending Score73

Source articles4

Independent4

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-41103EXP

Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability

Trending: 79

CRITICALCVE-2026-33844EXP

Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

Trending: 76

HIGHCVE-2026-26129EXP

M365 Copilot Information Disclosure Vulnerability

Trending: 75

CRITICALCVE-2026-33109EXP

Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

Trending: 73

CRITICALCVE-2026-42831EXP

Microsoft Office Remote Code Execution Vulnerability

Trending: 72

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 12, 2026

Discovered by ZDM

May 12, 2026

Updated: description, exploitAvailable, activelyExploited

May 12, 2026

Updated: affectedVersions

May 12, 2026

Actively Exploited

May 12, 2026

Exploit Available

May 12, 2026

Patch Available

May 12, 2026

Version History

Last enriched 4h ago

v3Tier C4h ago

Added affected version 8.2, updated severity to HIGH, and noted no patch available.

affectedVersions

via VulDB

v2Tier A6h ago

Added a detailed description of the vulnerability and marked it as actively exploited with an exploit available.

descriptionexploitAvailableactivelyExploited

via Microsoft MSRC

v16h ago

Initial creation