CVE-2026-47646 is a cross-site scripting (XSS) vulnerability in Microsoft Dynamics 365 Customer Voice that allows an unauthenticated attacker to perform spoofing attacks over a network. The flaw stems from improper handling of user-supplied input during web page generation, meaning malicious content could be injected and rendered in a victim’s browser. Because no authentication is required to exploit this, the potential reach is broad for any organisation using Customer Voice externally.

Security Architect’s Take: Review your Dynamics 365 Customer Voice deployments and ensure Microsoft’s patch is applied promptly; additionally, assess whether any customer-facing survey links or embedded forms could be weaponised to deliver spoofed content to end users, and consider adding Content Security Policy (CSP) headers as a compensating control where supported.

Original advisory: CVE-2026-47646 Dynamics 365 Customer Voice Spoofing Vulnerability