Description
Improper neutralization of input during web page generation ('cross-site scripting') in Windows Admin Center allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-04-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing
Action: Immediate Patch
AI Analysis

Impact

A cross‑site scripting vulnerability in Windows Admin Center allows an attacker to inject malicious scripts into generated web pages. This flaw can be used to create spoofed content on the console, tricking users into believing they are interacting with legitimate elements. The attack could compromise the integrity of the user interface and facilitate phishing or credential theft.

Affected Systems

The affected product is Microsoft Windows Admin Center. No specific version ranges are provided in the advisory, so all installations should be reviewed for applicable patches.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. Because the vulnerability is a web‑based XSS, the likely attack vector is over the network via the Windows Admin Center web interface; any user with access to the console could craft a payload. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet.

Generated by OpenCVE AI on April 14, 2026 at 19:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft patch for Windows Admin Center as documented in the Microsoft Security Advisory.
  • Limit network access to the Windows Admin Center web interface to trusted hosts only until the patch is applied.

Generated by OpenCVE AI on April 14, 2026 at 19:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Windows Admin Center allows an unauthorized attacker to perform spoofing over a network.
Title Windows Admin Center Spoofing Vulnerability
First Time appeared Microsoft
Microsoft windows Admin Center
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:windows_admin_center:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows Admin Center
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows Admin Center
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-17T16:13:22.663Z

Reserved: 2026-03-11T00:26:53.427Z

Link: CVE-2026-32196

cve-icon Vulnrichment

Updated: 2026-04-14T19:45:40.844Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:17:26.060

Modified: 2026-04-17T15:10:35.607

Link: CVE-2026-32196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:45:03Z

Weaknesses