Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') in Power BI allows an authorized attacker to perform spoofing over a network.
AnalysisAI
Cross-site scripting (CWE-79) in Microsoft Power BI Report Server lets an authenticated, low-privileged attacker inject script that executes in another user's browser session, enabling spoofing of report content and hijacking of the victim's authenticated context over the network. Exploitation requires a victim to interact with attacker-controlled report content (UI:R). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours, inventory all Microsoft Power BI Report Server deployments and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Power Bi Report Server
View allA cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly
Power BI Report Server Spoofing Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitabl
Power BI Report Server Spoofing Vulnerability. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitabl
Improper input validation in Power BI allows an authorized attacker to execute code over a network. [CVSS 8.0 HIGH]
Microsoft Power BI Information Disclosure Vulnerability. Rated high severity (CVSS 7.7), this vulnerability is remotely
A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Temp
Power BI Remote Code Execution Vulnerability. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable
A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded
Power BI Report Server Spoofing Vulnerability. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploita
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43780
GHSA-qxvr-2hqj-cxr6