Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network XSS needing victim interaction (UI:R) with a scope change into the app context; spoofing yields limited confidentiality/integrity impact, so C:L/I:L rather than H.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Customer Voice allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Cross-site scripting in Microsoft Dynamics 365 Customer Voice allows a remote, unauthenticated attacker to inject script that executes in a victim's browser session and perform spoofing once the victim interacts with attacker-supplied content. The flaw carries a CVSS 9.3 rating driven largely by a scope change (S:C), meaning injected script escapes into a different security context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to interact with attacker-supplied content (UI:R) - such as opening a malicious Customer Voice survey link or viewing attacker-controlled survey content rendered in the Dynamics 365 web interface - so it is not a fully automatic remote attack. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N, score 9.3) signals network reach, low complexity, and no attacker privileges, but mandatory user interaction (UI:R) - the victim must open or interact with malicious content, which meaningfully limits mass, hands-off exploitation despite the high headline score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a Dynamics 365 Customer Voice survey or response containing a malicious XSS payload and lures a target - for example a survey administrator or respondent - into opening the attacker-controlled link. When the victim's browser renders the unescaped content, the script executes in the Dynamics 365 security context (scope change), letting the attacker spoof trusted UI or misrepresent content to the victim. … |
| Remediation | Because Dynamics 365 Customer Voice is a Microsoft-operated cloud service, the fix is applied by Microsoft server-side and no customer-installed patch is typically required; consult the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47646 to confirm remediation status and any tenant-side action. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Dynamics 365 Customer Voice deployments in production; disable external survey sharing and restrict access to internal authenticated users only; alert stakeholders of the vulnerability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42491
GHSA-vp2c-mc92-v364