Dynamics 365 Customer Voice Cross-Site Scripting Spoofing Vulnerability
Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Customer Voice allows an unauthorized attacker to perform spoofing over a network.
Quick answer
Microsoft Dynamics 365 Customer Voice should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Microsoft Dynamics 365 Customer Voice cloud service
Fixed versions
- Microsoft service-side update
How to fix it
Microsoft Dynamics 365 Customer Voice was affected by a cross-site scripting and spoofing vulnerability. Because this is a Microsoft cloud service, confirm the Microsoft fix is applied to the tenant, review survey links and responses for abuse, and tighten sharing controls.
- Check Microsoft Security Update Guide, service health, and tenant messages for the Dynamics 365 Customer Voice fix status for CVE-2026-47646.
- Ensure affected Dynamics 365 and Customer Voice tenants are receiving current Microsoft service updates.
- Review active Customer Voice surveys, public links, embedded forms, and invitation templates for suspicious script or spoofed content.
- Remove or regenerate survey links that were exposed during the vulnerable period.
- Review audit logs, response exports, and user activity for unexpected survey edits or malicious links.
- Limit who can create, publish, and share Customer Voice surveys in the tenant.
- Warn users not to trust old survey URLs if spoofing or injected content is detected.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Microsoft marks CVE-2026-47646 as fixed for the tenant or service region.
- Validate Customer Voice survey pages no longer execute injected script in tested fields or URLs.
- Review tenant audit logs for unusual survey changes, sharing changes, or response exports.
- Test legitimate survey creation, sharing, and response collection after remediation.
- Run a Fixnx scan and verify public survey or landing pages do not expose unsafe script behavior.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-47646?
Microsoft Dynamics 365 Customer Voice versions listed as affected should be reviewed: Microsoft Dynamics 365 Customer Voice cloud service.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
