{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21512", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-30T18:10:54.845Z", "datePublished": "2026-02-10T17:51:16.670Z", "dateUpdated": "2026-05-11T21:25:15.584Z"}, "containers": {"cna": {"title": "Azure DevOps Server Cross-Site Scripting Vulnerability", "datePublic": "2026-02-10T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_devops_server_2022:*:-:*:*:*:*:*:*", "versionStartIncluding": "20230131.0", "versionEndExcluding": "20260204.3"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure DevOps Server 2022", "versions": [{"version": "20230131.0", "lessThan": "20260204.3", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en-US", "type": "CWE", "cweId": "CWE-918"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:15.584Z"}, "references": [{"name": "Azure DevOps Server Cross-Site Scripting Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21512"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:23:49.008178Z", "id": "CVE-2026-21512", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:24:04.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21512", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:23:49.008178Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:23:56.634Z"}}], "cna": {"title": "Azure DevOps Server Cross-Site Scripting Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure DevOps Server 2022", "versions": [{"status": "affected", "version": "20230131.0", "lessThan": "20260204.3", "versionType": "custom"}]}], "datePublic": "2026-02-10T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21512", "name": "Azure DevOps Server Cross-Site Scripting Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_devops_server_2022:*:-:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "20260204.3", "versionStartIncluding": "20230131.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:15.584Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21512", "state": "PUBLISHED", "dateUpdated": "2026-05-11T21:25:15.584Z", "dateReserved": "2025-12-30T18:10:54.845Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-02-10T17:51:16.670Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:azure_devops_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "648338CD-C36A-41F0-8790-713928111BC7", "versionEndExcluding": "2022.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "BCE17387-5AB3-4EED-BBAD-C0BFFC106C98", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch2:*:*:*:*:*:*", "matchCriteriaId": "F74AA6F1-F3A6-4F78-BD49-4907E487BEA0", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch3:*:*:*:*:*:*", "matchCriteriaId": "FEBE376F-E4B1-4A28-A1C1-D35F1A50B592", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch4:*:*:*:*:*:*", "matchCriteriaId": "7D4189D3-8BF8-439A-99BE-FF9A3787C14F", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch5:*:*:*:*:*:*", "matchCriteriaId": "9755C061-2382-48B9-8556-71C7B8BEF93C", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch6:*:*:*:*:*:*", "matchCriteriaId": "3BBA3E1F-F60B-4FAB-85B3-AB9A311A9CA8", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:patch7:*:*:*:*:*:*", "matchCriteriaId": "241CF9B3-92B7-42BF-AD86-4B34459EDBD2", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:azure_devops_server:2022.2.0:rc:*:*:*:*:*:*", "matchCriteriaId": "30FDFC54-1791-4224-9270-10E96C437C93", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network."}], "id": "CVE-2026-21512", "lastModified": "2026-02-11T21:39:50.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-02-10T18:16:33.493", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21512"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[20230131.0,20260204.3)"}}], "product": "azure_devops_server_2022", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-15T18:39:46.606875+00:00", "value": {"mitigation_remediation": ["Download and install the Microsoft security update that addresses CVE\u20112026\u201121512 for Azure DevOps Server 2022.", "Restrict the URLs that Azure DevOps Server can contact by implementing input validation or a whitelist for outbound requests.", "Configure network segmentation or firewall rules to block outbound traffic from Azure DevOps Server to internal IP ranges that are not required for normal operation."], "summary": {"action": "Patch ASAP", "impact": "Server-Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Microsoft Azure DevOps Server 2022. No specific patch or version details are listed in the CNA data, so all installations of the 2022 release are potentially vulnerable until updated.", "description_and_impact": "The vulnerability is a server\u2011side request forgery that allows an authenticated user to force the Azure DevOps Server to send arbitrary HTTP requests to internal network addresses, effectively enabling spoofing of internal services. This flaw, classified as CWE\u2011918, can be exploited to access or manipulate resources that are normally behind internal firewalls. The ability to trigger external requests from the server gives the attacker potential to exfiltrate data or pivot to other systems, thereby compromising confidentiality and possibly affecting integrity by modifying internal resources.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of <1% suggests low current exploitation probability. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires the attacker to be authorized and to supply a crafted request within the server\u2019s processing workflow. Inference: the likely attack vector involves sending a specially crafted URL or payload through an authenticated session that causes the server to issue an outbound request to a target internal host."}}}}, "created": "2026-02-11T21:52:17.183033+00:00", "updated": "2026-04-15T18:45:11.446846+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_devops_server_2022"]}