External risk intelligence

Dynamics 365 Customer Voice Cross-Site Scripting Vulnerability Allows Spoofing

CVE advisorySeverity: MEDIUM (CVSS 6.1)

CVE-2026-47646

Dynamics 365 Customer Voice is a web-based service designed to be public-facing for collecting external survey responses from the internet. As a cloud-hosted web application meant for broad distribution and public interaction, it is inherently reachable from the internet by design.

Cross-site Scripting

Microsoft Dynamics 365 Customer Voice

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Dynamics 365 Customer Voice could allow an attacker to impersonate users and potentially manipulate web content. This type of cross-site scripting vulnerability, which allows unauthorized code execution within a user's browser session, impacts a widely used customer feedback platform. While the direct business impact requires further assessment of your specific deployment, the potential for spoofing warrants attention.

  • Attackers can impersonate users in feedback tools.
  • Critical flaw enables widespread user impersonation.
  • Confirm relevance and exposure for your environment.

Attack Path

How an attacker could exploit the issue

An attacker can compromise a Dynamics 365 Customer Voice instance by sending a specially crafted link to a user. When the user clicks this link, the attacker can then spoof content seen by the user, potentially tricking them into revealing sensitive information or performing unintended actions.

  • Entry condition: Network access, no privileges.
  • Trigger point: User interaction with a malicious link.
  • Resulting risk: Credential theft and user deception.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthorized attacker to perform spoofing, potentially leading to users being tricked into believing they are interacting with a legitimate Dynamics 365 Customer Voice service. This occurs when input is not properly neutralized during web page generation, enabling cross-site scripting.

  • User interface and trust could be compromised.
  • Attacker injects malicious scripts via input.
  • Users may be misled into harmful actions.

Operational Fix

Recommended remediation, mitigation, and detection steps

Microsoft Dynamics 365 Customer Voice, a cloud-hosted web application designed for broad public interaction, is susceptible to cross-site scripting, allowing unauthorized attackers to potentially spoof users. Initial response should focus on identifying all instances of the affected technology, determining business criticality and network exposure, locating the accountable owner, and then prioritizing remediation actions based on this risk assessment.

  • Ownership likely rests with Dynamics 365 administrators or the application owner.
  • Verify network reachability and business criticality of deployments.
  • Plan coordinated remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Dynamics 365 Customer Voice?

Dynamics 365 Customer Voice is a cloud-based feedback management application that allows organizations to create and send surveys to customers. It is designed to capture feedback and analyze customer sentiment through web-based forms, making it a primary interface for interacting with external audiences and collecting public responses.

What does CWE-79 mean for CVE-2026-47646?

CVE-2026-47646 involves CWE-79, or Improper Neutralization of Input During Web Page Generation, commonly known as Cross-Site Scripting (XSS). This means the application fails to adequately filter malicious scripts from user input. As a result, an attacker can inject and execute unauthorized code within another user's browser, enabling them to alter the appearance of web pages or perform actions while impersonating a legitimate user.

How is this vulnerability triggered?

The flaw is triggered when a user clicks on a specially crafted link provided by an attacker. This malicious link forces the browser to execute unauthorized scripts during the page generation process. It is important to note that the vulnerability is not triggered by simply hosting a survey; it specifically requires the targeted user to interact with the manipulated link to execute the script in their session.

Is my organization at risk from this CVE?

Halo Surface Signal indicates that Dynamics 365 Customer Voice is inherently public-facing by design, as it must be accessible from the internet to collect survey responses. Because the application is intentionally configured for broad distribution and external interaction, any instance of this service is reachable via the internet, increasing the potential for an attacker to target users who engage with these surveys.

What should I do if we use this software?

Begin by identifying all active instances of Dynamics 365 Customer Voice within your organization to understand your footprint. Coordinate with the application owners or administrators to assess the business criticality of each deployment. Focus your efforts on verifying the current security guidance provided by the vendor, and establish a plan to monitor for and apply any upcoming patches or configuration updates intended to neutralize the input processing issue.

References