CVE-2026-32207: Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an
highvulnerability
security
Summary
CVE-2026-32207 is a cross-site scripting vulnerability (XSS, where an attacker injects malicious code into a web page that gets executed in users' browsers) in Azure Machine Learning that allows an unauthorized attacker to perform spoofing (impersonating someone or something else) over a network. The vulnerability stems from improper handling of user input during web page generation.
Vulnerability Details
CVSS Score
8.8(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
network
Attack Complexity
low
Privileges Required
none
User Interaction
required
Disclosure Date
May 7, 2026
Classification
Attack Type
Jailbreak
Attack SophisticationTrivial
Impact (CIA+S)
integrity
AI Component TargetedInference
Taxonomy References
Affected Vendors
Microsoft
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-32207
First tracked: May 7, 2026 at 08:08 PM
Classified by LLM (prompt v3) · confidence: 75%