Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Cross-site scripting and server-side request forgery in Microsoft Exchange Server enables authenticated low-privilege network attackers to perform spoofing and exfiltrate sensitive information. Affected are Exchange Server 2016 CU23, 2019 CU14, 2019 CU15, and the Subscription Edition RTM release lines, all below their respective patched cumulative update builds. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though Microsoft has released patches across all affected branches.
Technical ContextAI
The vulnerability resides in Microsoft Exchange Server's web interface layer, which generates dynamic HTML content for browser-based access. CWE-918 (Server-Side Request Forgery) is assigned despite the CVE description explicitly naming cross-site scripting - a meaningful discrepancy. SSRF in Exchange typically manifests when user-supplied input is incorporated into server-initiated HTTP or backend requests without adequate validation, allowing the server itself to be weaponized as a proxy to reach internal resources. The CVSS vector reinforces the SSRF classification: UI:N (no victim browser interaction required) and C:H/I:N/A:N (high confidentiality loss, no write or denial-of-service) are characteristic of SSRF rather than reflected or stored XSS, which conventionally requires UI:R. The tags list both XSS and SSRF, suggesting the vulnerability may involve an input-reflection mechanism that simultaneously facilitates server-side request forgery. Affected CPE targets span Exchange 15.01.x (2016) and 15.02.x (2019/SE) builds.
RemediationAI
Upgrade to the patched cumulative update for your Exchange branch: Exchange Server 2016 CU23 should be updated to build 15.01.2507.069 or later; Exchange Server 2019 CU14 to 15.02.1544.041 or later; Exchange Server 2019 CU15 to 15.02.1748.046 or later; and Exchange Server Subscription Edition RTM to 15.02.2562.043 or later. Patch details are published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45501. If immediate patching is not possible, restrict authenticated access to Exchange's web-facing endpoints (OWA, ECP, EWS) to trusted network segments or VPN-authenticated sessions only - this reduces exposure by limiting which authenticated users can reach the vulnerable input-handling surface. Note that restricting OWA/ECP access may disrupt remote workers relying on browser-based mail access. Web Application Firewall rules blocking SSRF-pattern payloads (internal IP ranges, metadata endpoint URIs, localhost references in request parameters) can provide partial compensating control but should not be treated as a substitute for patching given Exchange's complex attack surface.
More in Exchange Server
View allMicrosoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci
Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows
Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35677
GHSA-rc45-hpv2-j3hh