Microsoft Dynamics 365 — known CVE vulnerabilities
Every CVE whose affected-product data names Microsoft Dynamics 365, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (99)
CVE-2026-42898 — CVSS 9.9 (critical): Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute…
CVE-2026-47647 — CVSS 9.9 (critical): Improper access control in Microsoft Dynamics 365 allows an authorized attacker to elevate privileges over a network.
CVE-2026-32210 — CVSS 9.3 (critical): Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-42833 — CVSS 9.1 (critical): Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute…
CVE-2024-38182 — CVSS 9.0 (critical): Weak authentication in Microsoft Dynamics 365 allows an unauthenticated attacker to elevate privileges over a network.
CVE-2018-8609 — CVSS 8.8 (high): A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to properly sanitize…
CVE-2026-40371 — CVSS 8.8 (high): Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to…
CVE-2019-1229 — CVSS 8.8 (high): An elevation of privilege vulnerability exists in Dynamics On-Premise v9. An attacker who successfully exploited the vulnerability could…
CVE-2020-17152 — CVSS 8.8 (high): Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
CVE-2020-17158 — CVSS 8.8 (high): Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
CVE-2025-62210 — CVSS 8.7 (high): Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an…
CVE-2025-62211 — CVSS 8.7 (high): Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an…
CVE-2020-16872 — CVSS 7.6 (high): <p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2025-49715 — CVSS 7.5 (high): Exposure of private personal information to an unauthorized actor in Dynamics 365 FastTrack Implementation Assets allows an unauthorized…
CVE-2020-16862 — CVSS 7.1 (high): <p>A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) when the server fails to properly sanitize web…
CVE-2020-16860 — CVSS 6.8 (medium): <p>A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) when the server fails to properly sanitize web…
CVE-2025-53728 — CVSS 6.5 (medium): Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to…
CVE-2025-62206 — CVSS 6.5 (medium): Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to…
CVE-2018-8654 — CVSS 6.5 (medium): An elevation of privilege vulnerability exists in Microsoft Dynamics 365 Server, aka 'Microsoft Dynamics 365 Elevation of Privilege…
CVE-2020-16943 — CVSS 6.5 (medium): <p>An elevation of privilege vulnerability exists in Microsoft Dynamics 365 Commerce. An unauthenticated attacker who successfully…
CVE-2026-33103 — CVSS 5.5 (medium): Improper access control in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to disclose information locally.
CVE-2020-1063 — CVSS 5.4 (medium): A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2018-8607 — CVSS 5.4 (medium): A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially…
CVE-2025-49745 — CVSS 5.4 (medium): Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Dynamics 365 (on-premises) allows an…
CVE-2018-8606 — CVSS 5.4 (medium): A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially…
CVE-2020-0656 — CVSS 5.4 (medium): A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2019-1375 — CVSS 5.4 (medium): A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2018-8608 — CVSS 5.4 (medium): A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially…
CVE-2018-8605 — CVSS 5.4 (medium): A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) version 8 does not properly sanitize a specially…
CVE-2020-16978 — CVSS 5.4 (medium): <p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2020-16956 — CVSS 5.4 (medium): <p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2020-16878 — CVSS 5.4 (medium): <p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2020-16871 — CVSS 5.4 (medium): <p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2020-16864 — CVSS 5.4 (medium): <p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2020-16861 — CVSS 5.4 (medium): <p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2020-16859 — CVSS 5.4 (medium): <p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2020-16858 — CVSS 5.4 (medium): <p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…
CVE-2020-1591 — CVSS 5.4 (medium): A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web…