CVE-2026-42898

Daily digests

An authenticated attacker can inject and execute arbitrary code on your Dynamics 365 on-prem server over the network. At CVSS 9.9, this is about as bad as it gets for a post-auth bug: one compromised low-privilege account could mean full server takeover. No reports of wild exploitation yet, but the attack surface is wide for anyone running on-prem Dynamics.

• Patch Tuesday · May 13, 2026

  Patch Tuesday May 2026: DNS + Netlogon at 9.8, 19 more