CVE-2026-35428

CriticalRCE

Published: 07 May 2026

Published

07 May 2026

Modified

08 May 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0006 19.5th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35428 is a critical-severity Command Injection (CWE-77) vulnerability in Microsoft Azure Cloud Shell. Its CVSS base score is 9.6 (Critical).

Operationally, ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-77

Affected Products

microsoft

azure cloud shell

all versions

CVEs Like This One

CVE-2026-32169Same product: Microsoft Azure Cloud Shell

CVE-2026-32194Same vendor: Microsoft

CVE-2026-20841Same vendor: Microsoft

CVE-2025-55227Same vendor: Microsoft

CVE-2025-59252Same vendor: Microsoft

CVE-2025-24049Same vendor: Microsoft

CVE-2026-32183Same vendor: Microsoft

CVE-2025-59272Same vendor: Microsoft

CVE-2025-64671Same vendor: Microsoft

CVE-2025-59286Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35428
Vendor Advisory · secure@microsoft.com