CVE-2026-41094

Microsoft · Data Formulator

A code injection vulnerability in Microsoft Data Formulator allows unauthorized attackers to execute arbitrary code over a network.

Executive summary

A critical code injection vulnerability in Microsoft Data Formulator poses a significant risk of remote code execution.

Vulnerability

This vulnerability involves improper control of generation of code (CWE-94), enabling an unauthenticated attacker to execute code over a network.

Business impact

Successful exploitation of this vulnerability could allow an attacker to gain full control over the affected system, leading to unauthorized data access, system disruption, or lateral movement within the network. With a CVSS score of 8.8, this flaw represents a high-severity risk that requires immediate prioritization by IT and security operations teams.

Remediation

Immediate Action: Update Microsoft Data Formulator to version 0.7 or later to implement the vendor-supplied fix.

Proactive Monitoring: Review system and network logs for unusual process execution or network traffic originating from the Data Formulator service.

Compensating Controls: Deploy Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting code generation parameters.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Due to the severity of this code injection flaw, organizations should treat this as a high-priority remediation task. Ensure all instances of Microsoft Data Formulator are updated to the latest version immediately to eliminate the risk of remote compromise.