Technical Information

An authorized attacker with low privileges could exploit code injection by modifying the saved state of a process session in Dynamics CRM and trigger the system to process that data, which could result in the server unintentionally executing malicious code over a network, potentially impacting resources beyond the vulnerable component’s security scope.

Patch release date: May 12, 2026
Further information on this vulnerability is available at : CVE-2026-42898