CVE-2026-21531

CRITICAL

Azure Conversation Authoring Client Library - Remote Code Execution via Untrusted Data Deserialization

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-21531. PoCs published by XiaomingX, NetVanguard-cmd.

AI-analyzed exploit summary The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for WordPress admin credentials and hashes.

Description

Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-21531

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for WordPress admin credentials and hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec SUSPICIOUS 4 stars

by NetVanguard-cmd · poc

https://github.com/NetVanguard-cmd/CVE-2026-21531

View Code ZIP pw:eip

The repository claims to provide an exploit for CVE-2026-21531 but contains no actual exploit code. Instead, it directs users to download files from a tinyurl link, which is a common social engineering tactic.

Classification

Suspicious 90%

Attack Type

Deserialization

Complexity

Theoretical

Reliability

Theoretical

Target: Azure SDK (version not specified)

No auth needed

Prerequisites: None specified

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21531

Scores

CVSS v3 9.8

EPSS 0.0062

EPSS Percentile 70.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (3)

Microsoft/Azure AI Language Authoring 1.0.0 - 1.0.0b4

microsoft/azure_conversation_authoring_client_library 1.0.0 beta1 (3 CPE variants)

pypi/azure-ai-language-conversations-authoring 0 - 1.0.0b4PyPI

Published Feb 10, 2026

Tracked Since Feb 18, 2026