Skip to main content

Microsoft Exchange Server CVE-2026-45501

| EUVDEUVD-2026-35677 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-09 secure@microsoft.com GHSA-rc45-hpv2-j3hh
6.1
CVSS 3.1 · NVD
Temporal: 5.7
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
5.7 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Jun 15, 2026 - 19:37 NVD
6.5 (MEDIUM) 6.1 (MEDIUM)
Analysis Generated
Jun 09, 2026 - 19:42 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 6.5

DescriptionNVD

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Cross-site scripting and server-side request forgery in Microsoft Exchange Server enables authenticated low-privilege network attackers to perform spoofing and exfiltrate sensitive information. Affected are Exchange Server 2016 CU23, 2019 CU14, 2019 CU15, and the Subscription Edition RTM release lines, all below their respective patched cumulative update builds. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though Microsoft has released patches across all affected branches.

Technical ContextAI

The vulnerability resides in Microsoft Exchange Server's web interface layer, which generates dynamic HTML content for browser-based access. CWE-918 (Server-Side Request Forgery) is assigned despite the CVE description explicitly naming cross-site scripting - a meaningful discrepancy. SSRF in Exchange typically manifests when user-supplied input is incorporated into server-initiated HTTP or backend requests without adequate validation, allowing the server itself to be weaponized as a proxy to reach internal resources. The CVSS vector reinforces the SSRF classification: UI:N (no victim browser interaction required) and C:H/I:N/A:N (high confidentiality loss, no write or denial-of-service) are characteristic of SSRF rather than reflected or stored XSS, which conventionally requires UI:R. The tags list both XSS and SSRF, suggesting the vulnerability may involve an input-reflection mechanism that simultaneously facilitates server-side request forgery. Affected CPE targets span Exchange 15.01.x (2016) and 15.02.x (2019/SE) builds.

RemediationAI

Upgrade to the patched cumulative update for your Exchange branch: Exchange Server 2016 CU23 should be updated to build 15.01.2507.069 or later; Exchange Server 2019 CU14 to 15.02.1544.041 or later; Exchange Server 2019 CU15 to 15.02.1748.046 or later; and Exchange Server Subscription Edition RTM to 15.02.2562.043 or later. Patch details are published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45501. If immediate patching is not possible, restrict authenticated access to Exchange's web-facing endpoints (OWA, ECP, EWS) to trusted network segments or VPN-authenticated sessions only - this reduces exposure by limiting which authenticated users can reach the vulnerable input-handling surface. Note that restricting OWA/ECP access may disrupt remote workers relying on browser-based mail access. Web Application Firewall rules blocking SSRF-pattern payloads (internal IP ranges, metadata endpoint URIs, localhost references in request parameters) can provide partial compensating control but should not be treated as a substitute for patching given Exchange's complex attack surface.

CVE-2020-17132 CRITICAL POC
9.1 Dec 10

Microsoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote

CVE-2022-23277 HIGH POC
8.8 Mar 09

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2021-42321 HIGH POC
8.8 Nov 10

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2020-16875 HIGH POC
8.4 Sep 11

<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume

CVE-2021-28481 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-28480 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2018-0986 HIGH POC
8.8 Apr 04

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci

CVE-2018-16793 HIGH POC
8.6 Sep 21

Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame

CVE-2019-0724 HIGH POC
8.1 Mar 05

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of

CVE-2023-36745 HIGH POC
8.0 Sep 12

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low

CVE-2013-0418 MEDIUM
6.8 Jan 17

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows

CVE-2021-33766 HIGH POC
7.3 Jul 14

Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re

Share

CVE-2026-45501 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy