#VU126007 Improper Neutralization of Escape, Meta, or Control Sequences in Power Apps - CVE-2026-26149
Published: April 14, 2026
Vulnerability identifier: #VU126007
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-26149
CWE-ID: CWE-150
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Power Apps
Power Apps
Software vendor:
Microsoft
Microsoft
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper neutralization of escape, meta, or control sequences in Microsoft Power Apps. A remote user can bypass the security warning dialog that is meant to clearly inform users when an app is attempting to open an external protocol.
Remediation
Install updates from vendor's website.