Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Entra ID allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during web page generation in Microsoft Entra ID creates a cross‑site scripting flaw that allows an authorized attacker to inject malicious content into pages rendered by Microsoft Edge (Chromium‑based). The attacker can opportunistically spoof legitimate pages over the network, potentially deceiving users or capturing sensitive data. This vulnerability is identified as CWE‑79 and can enable attackers to forge page content or masquerade as a trusted source.

Affected Systems

Microsoft Edge (Chromium‑based) users browsing pages generated by Microsoft Entra ID are vulnerable. No specific Edge version range is listed in the advisory, so any release that renders Entra ID content could be impacted. The attack requires an authenticated Entra ID user who can submit content that is subsequently reflected in the browser.

Risk and Exploitability

The CVSS score of 8.8 signals high severity, while the EPSS score of < 1% indicates a very low probability of exploitation. The vulnerability is not included in the CISA KEV catalog. Based on the description it is inferred that the attack vector involves an authorized user inserting input that is then reflected into the user interface of Entra ID, which Edge renders. If exploited, the spoofing could lead to phishing, credential theft, or the injection of malicious scripts into pages viewed by other users.

Generated by OpenCVE AI on July 14, 2026 at 12:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Edge updates that contain the fix for CVE‑2026‑32208 as documented in the Microsoft Security Response Center update guide.
  • Disable or tightly restrict any custom web page generation or content‑injection features in Microsoft Entra ID for accounts that do not need to submit content, thereby reducing the attack surface available to authenticated users.
  • Implement a strict Content Security Policy in Microsoft Entra ID and enable the browser’s XSS protection mechanisms to block reflected malicious input before it is rendered in Edge.

Generated by OpenCVE AI on July 14, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network. Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Entra ID allows an authorized attacker to perform spoofing over a network.
Title Microsoft Edge (Chromium-based) Spoofing Vulnerability Microsoft Entra ID Spoofing Vulnerability

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 19 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network.
Title Microsoft Edge (Chromium-based) Spoofing Vulnerability
First Time appeared Microsoft
Microsoft edge Chromium
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:edge_chromium:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft edge Chromium
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Edge Chromium
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-07-08T23:22:47.784Z

Reserved: 2026-03-11T01:49:58.659Z

Link: CVE-2026-32208

cve-icon Vulnrichment

Updated: 2026-06-22T17:30:25.416Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T12:15:10Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')