SYS::ONLINE
Wasteland.
Briefs1138
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-47646 2026-07-08

CVE-2026-47646: Critical XSS in Microsoft Dynamics 365 Customer Voice

"A critical cross-site scripting flaw in Microsoft Dynamics 365 Customer Voice lets an unauthenticated attacker carry out spoofing attacks over the network."

A critical cross-site scripting flaw in Microsoft Dynamics 365 Customer Voice lets an unauthenticated attacker carry out spoofing attacks over the network.

What Is It

CVE-2026-47646 is an improper neutralization of input during web page generation ('cross-site scripting') vulnerability (CWE-79) in Microsoft Dynamics 365 Customer Voice. It allows an unauthorized attacker to perform spoofing over a network. Microsoft has assigned it a CVSS 3.1 base score of 9.3 (CRITICAL), with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N.

Why It Matters

The flaw is network-reachable with low attack complexity and requires no privileges, meaning an attacker needs no prior access to the system. Because the scope is marked as changed, a successful attack can impact resources beyond the vulnerable component itself, with high impact to both confidentiality and integrity. The one mitigating factor is that user interaction is required, so exploitation depends on convincing a target to take an action. Microsoft tags the CVE as an exclusively-hosted-service issue.

What's Vulnerable

Because this is flagged as an exclusively hosted service, the affected component is a Microsoft-operated cloud service rather than customer-installed software.

Patch Status

The NVD record lists a status of "Received" and was published on 2026-07-09. No CISA KEV entry was supplied for this CVE, so there is no confirmation of active exploitation at this time. Refer to Microsoft's MSRC update guide (below) for authoritative remediation guidance; as an exclusively hosted service, fixes are typically applied by Microsoft on the service side.

Sources