CVE-2026-41094: Microsoft Data Formulator Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-May

Released

2026-05-12

Description

Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.

FAQ

According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? The vulnerability can be exploited remotely over the network without administrative privileges, but exploitation requires user interaction to trigger processing of user‑supplied input by the affected service.

Affected Products (1)

Developer Tools

• Microsoft Data Formulator

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://x.com/security_index">Yoshizawa</a>

Revision History

• 2026-05-12: Information published.