Cross-Site Scripting Vulnerability in Microsoft Account by Microsoft
CVE-2026-21264

9.3CRITICAL

Key Information:

Vendor: Microsoft
Status: Microsoft Account
Vendor: CVE Published:; 22 January 2026

What is CVE-2026-21264?

A cross-site scripting vulnerability exists in Microsoft Account due to improper input neutralization during web page generation. An unauthorized attacker could exploit this flaw to perform spoofing attacks, allowing them to manipulate user interactions and potentially mislead users into revealing sensitive information over a network. This vulnerability emphasizes the need for stringent input validation measures to secure user interactions.

Affected Version(s)

Microsoft Account -

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 22, 2026
Vulnerability Reserved
Dec 11, 2025

CVE-2026-21264 Data

JSON