Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionNVD
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Spoofing via reflected/stored cross-site scripting in Microsoft Exchange Server allows a remote unauthenticated attacker to execute attacker-controlled script in the context of a victim's authenticated Exchange session after the victim interacts with a crafted link or message. With a CVSS 3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R) and high confidentiality and integrity impact, successful exploitation enables session hijacking, mailbox content disclosure, and message manipulation, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
The underlying weakness is CWE-79, improper neutralization of user-supplied input during web page generation, in components of Microsoft Exchange Server that render attacker-controllable content (commonly Outlook Web Access / OWA, ECP, or message rendering paths). Exchange Server is Microsoft's on-premises mail and collaboration platform built on IIS and .NET, and XSS in these web surfaces lets injected HTML or JavaScript execute in the browser of an authenticated administrator or mailbox user. Because Exchange web interfaces hold privileged session cookies and Exchange tokens, successful script execution can act on behalf of the victim against the same origin.
RemediationAI
Patch available per vendor advisory - apply the Microsoft Exchange Server security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47631 for your installed version and cumulative update, as MSRC is the authoritative source for the exact fix build. Until the update is deployed, reduce exposure by restricting OWA and ECP access to trusted networks or via a reverse proxy with authentication pre-checks, enforcing strict Content Security Policy and HttpOnly/Secure cookie flags where supported, and training privileged users (especially Exchange admins using ECP) to avoid clicking unsolicited Exchange links; note that restricting OWA externally will affect remote mailbox users, and CSP tuning on Exchange can break legitimate add-ins, so test before broad rollout.
More in Exchange Server
View allMicrosoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci
Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows
Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35506
GHSA-42jv-fvjf-vjmq