CVE-2026-21264

Published Jan 22, 2026

Last updated a month ago

CVSS critical 9.3

Overview

Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network.
Source
secure@microsoft.com
NVD status
Analyzed
CNA Tags
exclusively-hosted-service
Products
account

Risk scores

CVSS 3.1

Type
Primary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

secure@microsoft.com
CWE-79

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Improper authorization in Samsung Account prior to version 15.5.01.1 allows local attacker to launch arbitrary activity with Samsung Account privilege.CVE-2025-58487
  2. Improper input validation in Samsung Account prior to version 15.5.01.1 allows local attacker to execute arbitrary script.CVE-2025-58486
  3. Improper handling of insufficient permissions or privileges in Samsung Account prior to version 15.5.00.18 allows local attackers to access data in Samsung Account. User interaction is required for triggering this vulnerability.CVE-2025-21076
  4. Improper URL input validation vulnerability in Samsung Account application prior to version 14.1.0.0 allows remote attackers to get sensitive information.CVE-2023-21481
  5. Missing authorization in Microsoft Account allows an unauthorized attacker to elevate privileges over a network.CVE-2025-21396

References

Sources include official advisories and independent security research.