Skip to main content

Microsoft CVE-2026-32196

| EUVDEUVD-2026-22577 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-14 microsoft GHSA-fjm5-xhfc-2828
6.1
CVSS 3.1 · NVD
Temporal: 5.3
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CIRCL (temporal)
5.3 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:43 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22577
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') in Windows Admin Center allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Stored cross-site scripting (XSS) in Windows Admin Center before version 2.6.5.16 allows unauthenticated remote attackers to inject malicious scripts that execute in the browsers of other users, enabling account spoofing and data theft. The vulnerability requires user interaction (clicking a malicious link) but has network-wide scope, affecting all users of the Admin Center instance. Microsoft has released a patched version; exploitation is currently limited to scenarios where attackers can socially engineer clicks on crafted URLs.

Technical ContextAI

Windows Admin Center is a browser-based management platform for Windows Server infrastructure. The vulnerability stems from improper input sanitization during HTML generation (CWE-79), allowing attackers to bypass XSS protections by injecting JavaScript payloads through unvalidated parameters. The affected versions (Windows Admin Center 1809.0 through 2.6.5.15) fail to properly encode user-controlled input before rendering it in web responses. This is a classic reflected or stored XSS flaw where attacker-supplied data reaches the DOM without adequate HTML entity encoding or Content Security Policy enforcement. The network-accessible nature of Admin Center (typically exposed for remote server management) and its privileged user base make this a valuable XSS target.

RemediationAI

Upgrade Windows Admin Center to version 2.6.5.16 or later, which includes the XSS input sanitization fix. This is the primary remediation and is the only vendor-supported path forward. For environments unable to patch immediately, implement network-level controls: restrict Admin Center access to trusted networks using firewall rules or VPN, enforce multi-factor authentication to reduce account compromise impact from successful XSS exploitation, and educate users to avoid clicking suspicious links pointing to the Admin Center URL. Microsoft's security advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32196 provides patch availability confirmation and additional mitigation context. Verify the patch installation and restart the Admin Center service to ensure the fix is active.

Share

CVE-2026-32196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy