Platform
dotnet
Component
microsoft-account
CVE-2026-21264 describes a cross-site scripting (XSS) vulnerability within the Microsoft Account service. This flaw allows an unauthorized attacker to potentially perform spoofing attacks over a network. The vulnerability impacts versions of Microsoft Account prior to a patch release, and Microsoft is expected to release an update to address this issue.
The primary impact of CVE-2026-21264 is the potential for attackers to execute malicious scripts within a user's browser while they are authenticated to their Microsoft Account. This can lead to various consequences, including session hijacking, credential theft, and redirection to phishing sites. An attacker could craft a malicious link or inject script into a legitimate Microsoft Account page, tricking users into executing the code. The scope of impact is broad, as any user accessing the affected Microsoft Account functionality could be vulnerable. Successful exploitation could compromise user data and potentially grant attackers access to sensitive information associated with the account.
CVE-2026-21264 was publicly disclosed on 2026-01-22. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation. Public proof-of-concept (POC) code is not currently available, but the XSS nature of the vulnerability makes it likely that one will emerge. Monitor CISA and NVD for updates and potential exploitation campaigns.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
CVSS Vector
Currently, a specific fixed version of Microsoft Account is not available. Until a patch is released, users should exercise extreme caution when clicking links or interacting with content within their Microsoft Account. Consider enabling multi-factor authentication (MFA) on your Microsoft Account to add an extra layer of security. Monitor Microsoft's security advisories and apply the patch as soon as it becomes available. Web application firewalls (WAFs) configured to detect and block XSS payloads might offer some protection, but this is not a guaranteed mitigation.
Microsoft recommends applying the latest security updates to protect against this vulnerability. See the Microsoft security bulletin for more information and the corresponding updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-21264 is a critical cross-site scripting (XSS) vulnerability in Microsoft Account that allows attackers to potentially perform spoofing attacks over a network due to improper input neutralization.
If you are using Microsoft Account prior to the release of a patch, you are potentially affected by this vulnerability. Monitor Microsoft's security advisories for updates.
Upgrade to the latest patched version of Microsoft Account as soon as it becomes available. Until then, exercise caution and consider enabling multi-factor authentication.
While no active exploitation has been confirmed, the vulnerability's severity and XSS nature suggest a high likelihood of exploitation. Monitor security advisories for updates.
Refer to the official Microsoft Security Response Center (MSRC) website for the latest advisory regarding CVE-2026-21264: https://msrc.microsoft.com/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.