CVE-2026-50649 is a .NET remote code execution vulnerability caused by deserialization of untrusted data. Microsoft rates it High severity with a CVSS v3.1 base score of 7.8 and temporal score of 6.8. The vector is local access, low attack complexity, no privileges required, user interaction required, and unchanged scope. Microsoft reports no public disclosure, no known exploitation, and exploit code maturity is unproven. Because it is a local, user-interaction-dependent issue rather than a network-reachable one, enterprise risk is lower for exposed services but remains relevant for endpoints and internal systems where users may open untrusted content. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts - Exploitation likelihood: Exploitation Less Likely; vector context is LOCAL, LOW attack complexity, NO privileges required, and user interaction is REQUIRED - Severity for enterprise: High technical severity, but lower exposure risk than network-based RCEs because exploitation requires local access and user interaction - Patch status: available; customer action required Affected systems: - No products listed