CVE-2026-58647
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-58647, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Microsoft Corporation

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Power BI allows an authorized attacker to perform spoofing over a network.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
microsoft power_bi *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58647 is a cross-site scripting (XSS) vulnerability in Microsoft Power BI. This vulnerability occurs due to improper neutralization of user input during web page generation.

An authorized attacker can exploit this flaw to inject malicious scripts into web pages viewed by other users. This allows the attacker to perform spoofing attacks over a network, potentially tricking users into disclosing sensitive information or performing unintended actions.

Impact Analysis

If you are a user or organization using Microsoft Power BI, this vulnerability could impact you in several ways:

  • Spoofing attacks: An attacker could impersonate legitimate users or systems, leading to deception or misinformation.
  • Data theft: Malicious scripts could steal sensitive information, such as login credentials or personal data, from users interacting with the compromised web pages.
  • Unauthorized actions: Attackers could manipulate user sessions to perform actions on behalf of the victim, such as altering reports or accessing restricted data.

The CVSS base score of 8.0 indicates a high severity, meaning the vulnerability poses a significant risk if exploited.

Compliance Impact

This vulnerability could impact compliance with several common standards and regulations, depending on the context of its exploitation:

  • GDPR (General Data Protection Regulation): If the vulnerability leads to unauthorized access or disclosure of personal data of EU citizens, it could result in a violation of GDPR. Organizations may face fines or legal consequences for failing to protect personal data adequately.
  • HIPAA (Health Insurance Portability and Accountability Act): If Power BI is used to handle protected health information (PHI) and the vulnerability results in unauthorized access or disclosure of PHI, it could lead to non-compliance with HIPAA. This may result in penalties or legal action.
  • Other standards: Depending on the industry, this vulnerability could also affect compliance with standards like PCI DSS (for payment data) or SOX (for financial reporting), if sensitive data is exposed or manipulated.

Organizations should assess the potential impact of this vulnerability on their compliance obligations and take appropriate remediation steps to mitigate risks.

Detection Guidance

Detecting this vulnerability requires checking for improperly neutralized input in Power BI web interfaces that could lead to cross-site scripting (XSS). Since this is a client-side vulnerability, detection typically involves:

  • Reviewing Power BI reports and dashboards for suspicious input fields or scripts that may execute unintended code.
  • Using web application security scanners (e.g., OWASP ZAP, Burp Suite) to probe Power BI web interfaces for XSS vulnerabilities. Example command for OWASP ZAP: `zap-baseline.py -t https://your-powerbi-instance.com -c config.conf`.
  • Monitoring network traffic for unusual script execution or unauthorized requests originating from Power BI interfaces.
  • Checking Power BI logs for evidence of unauthorized script injections or spoofing attempts. Log locations depend on the deployment (e.g., Azure Log Analytics for cloud deployments).

No specific commands are provided in the context, but these methods align with general XSS detection practices.

Mitigation Strategies

To mitigate CVE-2026-58647, follow these immediate steps:

  • Apply the latest security updates for Power BI as provided by Microsoft. Refer to the official Microsoft Update Guide for patch details (Resource 1).
  • Restrict access to Power BI reports and dashboards to authorized users only, enforcing least-privilege principles.
  • Enable input validation and output encoding in Power BI to neutralize malicious scripts. This may require custom configurations or third-party tools if not natively supported.
  • Monitor Power BI environments for suspicious activity, such as unauthorized script execution or spoofing attempts.
  • Educate users and administrators about the risks of XSS and spoofing attacks, emphasizing safe practices for handling Power BI content.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58647. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart