cve-2026-26149

In practical terms, UI:R means this vulnerability is not a fully remote, drive-by issue that the attacker can trigger on their own. A victim has to do something first — in this case, open, load, or otherwise interact with the malicious Power Apps canvas app — before the exploit path can succeed...