CVE-2026-47646
Microsoft · Dynamics 365 Customer Voice
A cross-site scripting (XSS) vulnerability in Microsoft Dynamics 365 Customer Voice allows unauthorized attackers to perform spoofing over a network.
Executive summary
A critical cross-site scripting vulnerability in Microsoft Dynamics 365 Customer Voice exposes organizations to potential spoofing attacks.
Vulnerability
This is a cross-site scripting (CWE-79) vulnerability caused by improper neutralization of input during web page generation, which can be leveraged by an unauthorized attacker.
Business impact
The exploitation of this vulnerability allows unauthorized actors to execute arbitrary scripts in the context of the user's session. Given the CVSS score of 9.3, this represents a critical risk that could lead to session hijacking, credential theft, and unauthorized data access. Successful exploitation may result in significant reputational damage and a compromise of internal business processes managed through the platform.
Remediation
Immediate Action: Apply the latest security updates provided by Microsoft for Dynamics 365 Customer Voice immediately.
Proactive Monitoring: Review web server and application logs for suspicious script-based requests or unusual user activity patterns.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured with robust XSS protection rules to filter malicious input strings.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Organizations utilizing Dynamics 365 Customer Voice must prioritize this update. Given the high CVSS score, the risk of session-based attacks is significant; therefore, patching should be performed during the next maintenance window to mitigate potential spoofing and data compromise threats.