Vulnerability intelligence

CVE-2026-42898

Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

CVSS Score

9.9

Critical

EPSS — Exploit Probability

0.1%

Riskier than 25% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

Patch available

Vendor fix published

NVD entry Vendor patch PoC / advisory

4 articles across 4 outlets · first covered May 12, 2026 · latest May 13, 2026

Coverage timeline

Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming
securityaffairs.com · May 13, 2026
May 2026 Patch Tuesday: 137 Vulnerabilities, No Zero-Days
socradar.io · May 13, 2026
Microsoft patches 120 bugs, flags critical Netlogon and DNS RCEs
www.infosecurity-magazine.com · May 13, 2026
Microsoft Patch May 2026 fixes 137 bugs, zero day free
www.darkreading.com · May 12, 2026