CVE-2026-58647 in Power BI Report Serverinfo

Summary

by MITRE • 07/14/2026

Improper neutralization of input during web page generation ('cross-site scripting') in Power BI allows an authorized attacker to perform spoofing over a network.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/15/2026

Cross site scripting vulnerabilities in power bi represent a critical security weakness that enables authenticated attackers to manipulate web page content through malicious input injection. This vulnerability falls under the common weakness enumeration category CWE-79 which specifically addresses improper neutralization of input during web page generation, making it susceptible to XSS attacks. The flaw occurs when the power bi platform fails to properly sanitize user-supplied data before incorporating it into dynamically generated web pages, creating opportunities for attackers to inject malicious scripts that execute in the context of other users' browsers.

The operational impact of this vulnerability extends beyond simple content manipulation as it enables sophisticated attack vectors including session hijacking, credential theft, and unauthorized data access. An attacker with valid authentication credentials can leverage this weakness to perform spoofing operations over network connections, potentially masquerading as legitimate users or accessing restricted resources. The attack typically involves injecting malicious javascript code through input fields, URL parameters, or other entry points where user data is processed and subsequently rendered in web interfaces. This allows the attacker to execute arbitrary code in victims' browsers, potentially leading to complete compromise of user sessions and access to sensitive organizational data.

The security implications of this vulnerability align with several attack techniques documented in the mitre att&ck framework, particularly those related to initial access through web application attacks and privilege escalation via session hijacking. The vulnerability affects power bi's web interface rendering capabilities where user-generated content is not adequately filtered or escaped before being displayed to end users. This creates persistent cross site scripting opportunities that can be exploited across different browser environments and operating systems. Organizations using power bi must consider the broader implications of this vulnerability on their data security posture, as it represents a potential entry point for more extensive attacks targeting corporate networks.

Mitigation strategies should include implementing comprehensive input validation and output encoding mechanisms throughout the power bi platform, particularly focusing on user-supplied data handling in web page generation processes. Organizations should enforce strict content security policies and implement proper sanitization of all dynamic content before rendering. Regular security assessments and penetration testing should be conducted to identify potential injection points, while monitoring systems should be deployed to detect anomalous behavior patterns indicative of XSS exploitation attempts. Additionally, network segmentation and least privilege access controls can help limit the potential impact if an attacker successfully exploits this vulnerability, ensuring that even successful attacks do not provide unrestricted access to organizational resources.

Responsible

Microsoft

Reservation

07/01/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00538

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!