CVE-2026-26149

CRITICAL

Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network.

CVSS v3.1 Score

9.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Complexity

LOW

Privileges

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Published: 4/14/2026Modified: 4/20/2026

Related Intelligence (2)

CRITICALZero Day

Patch Tuesday - April 2026

Microsoft is publishing 167 vulnerabilities on April 2026 Patch Tuesday . Microsoft is aware of exploitation in the wild for one of today’s vulnerabilities, and public disclosure for one other. Microsoft evaluates 19 of the vulnerabilities published today as more likely to see future exploitation. So far this month, Microsoft has provided patches to address 80 browser vulnerabilities, which are no

CVE-2026-32201CVE-2026-33825

Apr 14, 2026Rapid7

CRITICALVulnerability

NVD CRITICAL: CVE-2026-26149 — Improper neutralization of escape, meta, or control sequences in Microsoft Power...

Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to bypass a security feature over a network.

CVE-2026-26149

Apr 14, 2026NIST NVD

References (1)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26149