Dynamics-365

🟠 High | Source: Microsoft Security Response Center CVE-2026-47646 is a cross-site scripting (XSS) vulnerability in Microsoft Dynamics 365 Customer Voice that allows an unauthenticated attacker to perform spoofing attacks over a network. The flaw stems from improper handling of user-supplied input during web page generation, meaning malicious content could be injected and rendered in a victim’s browser. Because no authentication is required to exploit this, the potential reach is broad for any organisation using Customer Voice externally. ...

🟠 High | Source: Microsoft Security Response Center A flaw in Microsoft Dynamics 365 allows an already-authenticated attacker to gain higher privileges than they should have, purely over the network — no physical access required. This means a low-privileged user or compromised account could be leveraged to access sensitive business data or administrative functions within Dynamics 365. Given how widely Dynamics 365 is used for CRM and ERP workflows, the potential business impact is significant. ...

🟠 High | Source: Microsoft Security Response Center A privilege escalation vulnerability in Microsoft Dynamics 365 on-premises has been assigned CVE-2026-40371, allowing an attacker to gain elevated permissions within the application. Microsoft has corrected its remediation guidance: the fix is contained in Dynamics 365 Server v9.1 Update 1.45 (build 9.1.0045.0011), not the previously stated version 6.2. Organisations that applied the earlier guidance should verify they are running the correct build to ensure they are actually protected. ...