Skip to main content

Dynamics 365 Customer Voice CVE-2026-47646

| EUVDEUVD-2026-42491 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 secure@microsoft.com GHSA-vp2c-mc92-v364
6.1
CVSS 3.1 · NVD
Temporal: 8.1
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CIRCL (temporal)
8.1 HIGH
cvss
vuln.today AI
6.1 MEDIUM

Network XSS needing victim interaction (UI:R) with a scope change into the app context; spoofing yields limited confidentiality/integrity impact, so C:L/I:L rather than H.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Severity Changed
Jul 09, 2026 - 18:52 NVD
CRITICAL MEDIUM
CVSS changed
Jul 09, 2026 - 18:52 NVD
9.3 (CRITICAL) 6.1 (MEDIUM)
Analysis Generated
Jul 09, 2026 - 00:29 vuln.today

DescriptionNVD

Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Customer Voice allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Cross-site scripting in Microsoft Dynamics 365 Customer Voice allows a remote, unauthenticated attacker to inject script that executes in a victim's browser session and perform spoofing once the victim interacts with attacker-supplied content. The flaw carries a CVSS 9.3 rating driven largely by a scope change (S:C), meaning injected script escapes into a different security context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft survey/response with XSS payload
Delivery
Deliver survey link to victim
Exploit
Victim opens content in Dynamics 365
Execution
Script executes in session context
Impact
Spoof UI and misrepresent content

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to interact with attacker-supplied content (UI:R) - such as opening a malicious Customer Voice survey link or viewing attacker-controlled survey content rendered in the Dynamics 365 web interface - so it is not a fully automatic remote attack. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N, score 9.3) signals network reach, low complexity, and no attacker privileges, but mandatory user interaction (UI:R) - the victim must open or interact with malicious content, which meaningfully limits mass, hands-off exploitation despite the high headline score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a Dynamics 365 Customer Voice survey or response containing a malicious XSS payload and lures a target - for example a survey administrator or respondent - into opening the attacker-controlled link. When the victim's browser renders the unescaped content, the script executes in the Dynamics 365 security context (scope change), letting the attacker spoof trusted UI or misrepresent content to the victim. …
Remediation Because Dynamics 365 Customer Voice is a Microsoft-operated cloud service, the fix is applied by Microsoft server-side and no customer-installed patch is typically required; consult the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47646 to confirm remediation status and any tenant-side action. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Dynamics 365 Customer Voice deployments in production; disable external survey sharing and restrict access to internal authenticated users only; alert stakeholders of the vulnerability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47646 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy