Submit finding

All findings

CVE-2026-32194 critical

Microsoft Bing Images command injection credited by XBOW

CVE-2026-32194 is a critical Bing Images command-injection RCE that XBOW says was found by its autonomous offensive-security system.

Bug class
Command injection -> remote code execution
Affected codebase
Microsoft Bing Images
Credited system
XBOW
Disclosed
March 19, 2026
Attribution
Self-reported attribution
Severity
critical
Source status: XBOW self-report of AI attribution, corroborated by MSRC/NVD-style CVE records for the vulnerability class and severity.

Summary

CVE-2026-32194 is a Microsoft Bing Images command-injection vulnerability. The public CVE wording describes improper neutralization of command elements, allowing an unauthorized network attacker to execute code.

XBOW identifies this CVE as one of the critical Microsoft software RCEs found by its autonomous system. As with CVE-2026-32191, technical details are limited in the public record.

Why it matters

The pair of Bing entries shows how quickly the public record can move from a single AI-attributed milestone to a cluster. That is one of the operational signatures of bugflation: once a system finds one class of bug in a large surface, adjacent surfaces can become cheaper to investigate.

References

Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.