Skip to main content

Power Bi Report Server

10 CVEs product

Monthly

CVE-2026-58647 HIGH PATCH This Week

Cross-site scripting (CWE-79) in Microsoft Power BI Report Server lets an authenticated, low-privileged attacker inject script that executes in another user's browser session, enabling spoofing of report content and hijacking of the victim's authenticated context over the network. Exploitation requires a victim to interact with attacker-controlled report content (UI:R). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; a vendor patch is available per the MSRC advisory.

XSS Power Bi Report Server
NVD
CVSS 3.1
8.0
EPSS
0.5%
CVE-2026-21229 HIGH PATCH This Week

Improper input validation in Power BI allows an authorized attacker to execute code over a network. [CVSS 8.0 HIGH]

Code Injection Power Bi Report Server
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2024-43612 MEDIUM PATCH This Month

Power BI Report Server Spoofing Vulnerability. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Power Bi Report Server
NVD
CVSS 3.1
4.7
EPSS
0.7%
CVE-2024-43481 HIGH PATCH This Week

Power BI Report Server Spoofing Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Power Bi Report Server
NVD
CVSS 3.1
8.8
EPSS
1.9%
CVE-2023-21806 HIGH PATCH This Week

Power BI Report Server Spoofing Vulnerability. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Power Bi Report Server
NVD
CVSS 3.1
8.2
EPSS
0.8%
CVE-2021-41372 HIGH PATCH This Week

A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity.

CSRF Privilege Escalation XSS Power Bi Report Server
NVD
CVSS 3.1
7.6
EPSS
0.6%
CVE-2021-31984 HIGH PATCH This Week

Power BI Remote Code Execution Vulnerability. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity.

RCE Power Bi Report Server
NVD
CVSS 3.1
7.6
EPSS
1.8%
CVE-2021-26859 HIGH PATCH This Week

Microsoft Power BI Information Disclosure Vulnerability. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.

Microsoft Information Disclosure Power Bi Report Server
NVD
CVSS 3.1
7.7
EPSS
2.8%
CVE-2020-1173 MEDIUM PATCH This Month

A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments, aka 'Microsoft Power BI Report Server Spoofing Vulnerability'. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity.

Microsoft Information Disclosure Power Bi Report Server
NVD
CVSS 3.1
6.8
EPSS
2.4%
CVE-2019-1332 MEDIUM POC PATCH This Month

A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microsoft Power Bi Report Server Sql Server 2017 Reporting Services Sql Server 2019 Reporting Services
NVD GitHub
CVSS 3.1
6.1
EPSS
7.2%
EPSS 1% CVSS 8.0
HIGH PATCH This Week

Cross-site scripting (CWE-79) in Microsoft Power BI Report Server lets an authenticated, low-privileged attacker inject script that executes in another user's browser session, enabling spoofing of report content and hijacking of the victim's authenticated context over the network. Exploitation requires a victim to interact with attacker-controlled report content (UI:R). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; a vendor patch is available per the MSRC advisory.

XSS Power Bi Report Server
NVD
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Improper input validation in Power BI allows an authorized attacker to execute code over a network. [CVSS 8.0 HIGH]

Code Injection Power Bi Report Server
NVD
EPSS 1% CVSS 4.7
MEDIUM PATCH This Month

Power BI Report Server Spoofing Vulnerability. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Power Bi Report Server
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Power BI Report Server Spoofing Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Power Bi Report Server
NVD
EPSS 1% CVSS 8.2
HIGH PATCH This Week

Power BI Report Server Spoofing Vulnerability. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Power Bi Report Server
NVD
EPSS 1% CVSS 7.6
HIGH PATCH This Week

A Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exists when Power BI Report Server Template file (pbix) containing HTML files is uploaded to the server and HTML files. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity.

CSRF Privilege Escalation XSS +1
NVD
EPSS 2% CVSS 7.6
HIGH PATCH This Week

Power BI Remote Code Execution Vulnerability. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity.

RCE Power Bi Report Server
NVD
EPSS 3% CVSS 7.7
HIGH PATCH This Week

Microsoft Power BI Information Disclosure Vulnerability. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.

Microsoft Information Disclosure Power Bi Report Server
NVD
EPSS 2% CVSS 6.8
MEDIUM PATCH This Month

A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments, aka 'Microsoft Power BI Report Server Spoofing Vulnerability'. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity.

Microsoft Information Disclosure Power Bi Report Server
NVD
EPSS 7% CVSS 6.1
MEDIUM POC PATCH This Month

A cross-site scripting (XSS) vulnerability exists when Microsoft SQL Server Reporting Services (SSRS) does not properly sanitize a specially-crafted web request to an affected SSRS server, aka. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Microsoft Power Bi Report Server +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy