Power Bi Report Server
CVE-2026-21229
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper input validation in Power BI allows an authorized attacker to execute code over a network.
AnalysisAI
Improper input validation in Power BI allows an authorized attacker to execute code over a network. [CVSS 8.0 HIGH]
Technical ContextAI
Classified as CWE-20 (Improper Input Validation). Affects Power Bi Report Server. Improper input validation in Power BI allows an authorized attacker to execute code over a network.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Power Bi Report Server
View allA cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly
Cross-site scripting (CWE-79) in Microsoft Power BI Report Server lets an authenticated, low-privileged attacker inject
Power BI Report Server Spoofing Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitabl
Power BI Report Server Spoofing Vulnerability. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitabl
Microsoft Power BI Information Disclosure Vulnerability. Rated high severity (CVSS 7.7), this vulnerability is remotely
A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Temp
Power BI Remote Code Execution Vulnerability. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable
A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded
Power BI Report Server Spoofing Vulnerability. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploita
Same weakness CWE-20 – Improper Input Validation
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today