criticalCVE-2026-47646

Dynamics 365 Customer Voice Cross-Site Scripting Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Customer Voice allows an unauthorized attacker to perform spoofing over a network.

ProductDynamics 365 Customer Voice
CVSS9.3
EPSS0.00454
UpdatedJuly 10, 2026

Quick answer

Microsoft Dynamics 365 Customer Voice should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Microsoft Dynamics 365 Customer Voice cloud service

Fixed versions

  • Microsoft service-side update

How to fix it

Microsoft Dynamics 365 Customer Voice was affected by a cross-site scripting and spoofing vulnerability. Because this is a Microsoft cloud service, confirm the Microsoft fix is applied to the tenant, review survey links and responses for abuse, and tighten sharing controls.

  1. Check Microsoft Security Update Guide, service health, and tenant messages for the Dynamics 365 Customer Voice fix status for CVE-2026-47646.
  2. Ensure affected Dynamics 365 and Customer Voice tenants are receiving current Microsoft service updates.
  3. Review active Customer Voice surveys, public links, embedded forms, and invitation templates for suspicious script or spoofed content.
  4. Remove or regenerate survey links that were exposed during the vulnerable period.
  5. Review audit logs, response exports, and user activity for unexpected survey edits or malicious links.
  6. Limit who can create, publish, and share Customer Voice surveys in the tenant.
  7. Warn users not to trust old survey URLs if spoofing or injected content is detected.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Microsoft marks CVE-2026-47646 as fixed for the tenant or service region.
  • Validate Customer Voice survey pages no longer execute injected script in tested fields or URLs.
  • Review tenant audit logs for unusual survey changes, sharing changes, or response exports.
  • Test legitimate survey creation, sharing, and response collection after remediation.
  • Run a Fixnx scan and verify public survey or landing pages do not expose unsafe script behavior.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-47646?

Microsoft Dynamics 365 Customer Voice versions listed as affected should be reviewed: Microsoft Dynamics 365 Customer Voice cloud service.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.