Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Live Share Canvas SDK allows an authorized attacker to elevate privileges over a network.
Published: 2026-06-09
Score: 8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of input when generating web pages, allowing a cross‑site scripting (XSS) attack. An authenticated attacker can inject malicious input that is rendered in the Canvas web interface, giving the attacker higher privileges over the network. The vulnerability enables the execution of arbitrary scripts in the context of a legitimate user, potentially escalating privileges within the collaborative environment.

Affected Systems

Microsoft Windows Live Share Canvas SDK is affected. No specific version information is provided, so any installation of the SDK that has not been updated by Microsoft is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8 reflects high severity. EPSS is not available, and the vulnerability is not included in CISA's KEV catalog. Exploitation requires the attacker to be an authorized user within the same network or collaboration session, making the attack vector an authenticated web‑based XSS that can elevate privileges. The lack of listed exploits suggests that the vulnerability has not yet been widely abused, but the high CVSS indicates significant risk if exploited.

Generated by OpenCVE AI on June 9, 2026 at 20:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update for Microsoft Live Share Canvas SDK published by Microsoft for CVE‑2026‑45644 (refer to https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45644).
  • Ensure the updated SDK is in use on all devices and servers that participate in Live Share sessions, and verify that no older versions remain accessible.
  • Review and tighten permission settings for users in Live Share sessions to limit privileged actions, and consider disabling inline script execution in the Canvas web interface as a temporary safeguard.

Generated by OpenCVE AI on June 9, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Live Share Canvas SDK allows an authorized attacker to elevate privileges over a network.
Title Microsoft Live Share Canvas SDK Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft live Share Canvas
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:Live_share_canvas:*:SDK:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft live Share Canvas
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Live Share Canvas
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:50:55.291Z

Reserved: 2026-05-12T20:33:35.156Z

Link: CVE-2026-45644

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:31.533

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:07Z

Weaknesses