{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21264", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-11T21:02:05.738Z", "datePublished": "2026-01-22T22:47:38.744Z", "dateUpdated": "2026-04-01T13:49:27.520Z"}, "containers": {"cna": {"title": "Microsoft Account Spoofing Vulnerability", "datePublic": "2026-01-22T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:micrososft_account:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Account", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en-US", "type": "CWE", "cweId": "CWE-79"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:27.520Z"}, "references": [{"name": "Microsoft Account Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21264"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21264", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-24T04:55:22.864646Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:29.038Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21264", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-24T04:55:22.864646Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T20:02:56.629Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Account Spoofing Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Account", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-01-22T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21264", "name": "Microsoft Account Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:micrososft_account:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:27.520Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21264", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:49:27.520Z", "dateReserved": "2025-12-11T21:02:05.738Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-01-22T22:47:38.744Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:account:-:*:*:*:*:*:*:*", "matchCriteriaId": "7CAFA2F9-C35B-4359-A38D-6AF611819033", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network."}], "id": "CVE-2026-21264", "lastModified": "2026-02-03T12:58:31.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-22T23:15:57.407", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21264"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T17:48:22.605236+00:00", "value": {"mitigation_remediation": ["Apply the Microsoft Account security update for CVE\u20112026\u201121264, available through the Microsoft Security Update Guide.", "Apply context\u2011aware output encoding and enable built\u2011in XSS filtering to ensure all user input is properly sanitized before rendering in the Microsoft Account portal.", "Enforce multi\u2011factor authentication on all Microsoft Account logins and monitor for anomalous sign\u2011in attempts to mitigate credential theft."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011site scripting leading to Microsoft Account spoofing"}, "threat_synthesis": {"affected_systems": "Microsoft Account services are affected. The CVE entry does not specify particular build or release numbers; all publicly available Microsoft Account deployments should be treated as potentially vulnerable until an official security update is applied.", "description_and_impact": "The vulnerability is an improper neutralization of input during web page generation, identified as a cross\u2011site scripting (CWE\u201179) flaw in Microsoft Account services. Injected scripts execute in the context of the authenticated user, enabling an attacker to generate a spoofed account page that appears legitimate. The attacker can then use the impersonated interface to trick users into revealing credentials, session tokens, or other sensitive information, effectively facilitating phishing or credential theft.", "risk_and_exploitability": "The vulnerability carries a high CVSS score of 9.3, yet an EPSS of less than 1\u202f% indicates a very low but non\u2011zero exploitation likelihood. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires the delivery of malicious JavaScript to a user\u2019s browser, typically via a malicious webpage or a compromised Microsoft Account session that embeds user input into the portal. Once the script runs, the attacker can manipulate the page to impersonate Microsoft services and harvest sensitive data. The combination of high severity and low exploitation probability suggests that vendors and administrators should prioritize applying the patch, as the potential impact is substantial."}}}}, "created": "2026-04-16T18:00:11.142925+00:00", "updated": "2026-04-16T18:00:11.142938+00:00", "vendors": []}