CVE Catalog

CVE-2026-32208

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

A Cross-Site Scripting (XSS) vulnerability in Microsoft Entra ID allows an authorized attacker to perform spoofing attacks over a network. The flaw is caused by improper neutralization of input during web page generation.

Risk Assessment

An authorized attacker can exploit this vulnerability to display fraudulent content to users, potentially leading to credential theft or malware distribution.

Recommendation

Apply the security update provided by Microsoft for Microsoft Entra ID immediately. Additionally, implement input validation mechanisms and Content Security Policy (CSP).

Original NVD description (English source)

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Entra ID allows an authorized attacker to perform spoofing over a network.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS