CVE-2026-53597
Microsoft · Prompty
Microsoft Prompty is affected by a code injection vulnerability in the markdown file format processing logic, which may allow arbitrary code execution.
Executive summary
A code injection vulnerability in Microsoft Prompty versions 2.0.0-alpha.1 through 2.0.0-beta.2 poses a significant security risk to users.
Vulnerability
This vulnerability is categorized as CWE-94, representing improper control of code generation. The flaw exists in the processing of markdown files, allowing an unauthenticated attacker to inject and execute arbitrary code within the application environment.
Business impact
The CVSS score of 8.7 highlights the critical nature of this vulnerability. Compromise of the Prompty environment could lead to significant data loss or unauthorized access, as the vulnerability allows for total technical impact on the affected host.
Remediation
Immediate Action: Upgrade to version 2.0.0-beta.3 or later as soon as the release is confirmed available.
Proactive Monitoring: Inspect all ingested markdown files for malicious content and monitor application logs for signs of unauthorized code execution or unexpected process launches.
Compensating Controls: Restrict the ingestion of markdown files to trusted sources only and ensure the application runs with the principle of least privilege.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The severity of this flaw necessitates immediate attention. Users currently running affected alpha or beta versions of Prompty should update to the patched version immediately to protect against potential code injection attacks.