CVE-2026-58647 is a Microsoft PowerBI Report Server spoofing vulnerability, categorized as an improper neutralization of input during web page generation (cross-site scripting). Microsoft assigns it a CVSS v3.1 base score of 8.0 and temporal score of 7.0, with NETWORK attack vector, LOW attack complexity, LOW privileges required, and USER INTERACTION required. The stated impact is spoofing, with HIGH confidentiality, integrity, and availability impacts. Microsoft reports no public disclosure, no exploitation, and exploit code maturity is UNPROVEN; exploitation likelihood is listed as unlikely. Customer action is required. No affected products are listed in the source data. Highlights: - CVSS scores: Base 8.0 - Temporal 7.0 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Spoofing with HIGH confidentiality, HIGH integrity, and HIGH availability impacts. - Exploitation likelihood: Exploitation Unlikely; vector is NETWORK with LOW attack complexity, LOW privileges required, and USER INTERACTION required. - Severity for enterprise: High CVSS severity, but enterprise risk is moderated by the required user interaction and lack of reported exploitation; still relevant for web-facing PowerBI Report Server deployments. - Patch status: available Affected systems: - No products listed in the source data