Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionNVD
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Articles & Coverage 1
AnalysisAI
Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.
Technical ContextAI
CWE-79 cross-site scripting vulnerability in Microsoft Exchange Server's web interface components, likely affecting Outlook Web Access (OWA) or Exchange Admin Center (EAC) input validation routines. Affected products span Exchange Server 2016 CU23 (on-premises), Exchange Server 2019 CU14 and CU15 (on-premises), and Exchange Server Subscription Edition RTM (cloud-connected hybrid deployments). XSS flaws in Exchange typically manifest in email rendering engines, calendar invite handlers, or administrative web panel input fields where user-supplied data is reflected in generated HTML/JavaScript without proper encoding. Exchange Server's ASP.NET-based web stack requires multi-layer sanitization across C
backend code and client-side JavaScript - failures at any layer enable script injection. The network attack vector (AV:N) with low complexity (AC:L) indicates exploitation through standard HTTP/HTTPS traffic to Exchange web services, requiring no special network positioning beyond internet or intranet access to the Exchange server's web interfaces.
RemediationAI
Apply security updates released by Microsoft via the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897, which provides cumulative update packages addressing this XSS vulnerability across all affected Exchange Server versions. Exchange patches are cumulative - install the latest CU for your major version to receive the fix (likely CU24+ for Exchange 2016, CU16+ for Exchange 2019 based on affected CU listings). Interim mitigations before patching: implement Content Security Policy (CSP) headers on Exchange web virtual directories to restrict inline script execution (trade-off: may break custom OWA add-ins or poorly coded third-party integrations); deploy email security gateway with URL rewriting to proxy external links through sandbox environments (reduces phishing vector effectiveness but adds latency); restrict OWA access to VPN-authenticated users only if feasible for your organization (eliminates unauthenticated external attack surface but impacts user experience for remote workers). For Subscription Edition, Microsoft may auto-apply patches - verify deployment status through Microsoft 365 admin center. Test patches in non-production environment first as Exchange CUs can affect mailbox database schema and require extended maintenance windows.
Stored/reflected cross-site scripting in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition
Remote code execution in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets an aut
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30343
GHSA-3c39-338m-m4vp