Skip to main content

Microsoft Exchange Server CVE-2026-47631

| EUVDEUVD-2026-35506 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 secure@microsoft.com GHSA-42jv-fvjf-vjmq
5.4
CVSS 3.1 · NVD
Temporal: 7.1
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
7.1 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Severity Changed
Jun 15, 2026 - 14:22 NVD
HIGH MEDIUM
CVSS changed
Jun 15, 2026 - 14:22 NVD
8.1 (HIGH) 5.4 (MEDIUM)
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:55 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 8.1

DescriptionNVD

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Spoofing via reflected/stored cross-site scripting in Microsoft Exchange Server allows a remote unauthenticated attacker to execute attacker-controlled script in the context of a victim's authenticated Exchange session after the victim interacts with a crafted link or message. With a CVSS 3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R) and high confidentiality and integrity impact, successful exploitation enables session hijacking, mailbox content disclosure, and message manipulation, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

The underlying weakness is CWE-79, improper neutralization of user-supplied input during web page generation, in components of Microsoft Exchange Server that render attacker-controllable content (commonly Outlook Web Access / OWA, ECP, or message rendering paths). Exchange Server is Microsoft's on-premises mail and collaboration platform built on IIS and .NET, and XSS in these web surfaces lets injected HTML or JavaScript execute in the browser of an authenticated administrator or mailbox user. Because Exchange web interfaces hold privileged session cookies and Exchange tokens, successful script execution can act on behalf of the victim against the same origin.

RemediationAI

Patch available per vendor advisory - apply the Microsoft Exchange Server security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47631 for your installed version and cumulative update, as MSRC is the authoritative source for the exact fix build. Until the update is deployed, reduce exposure by restricting OWA and ECP access to trusted networks or via a reverse proxy with authentication pre-checks, enforcing strict Content Security Policy and HttpOnly/Secure cookie flags where supported, and training privileged users (especially Exchange admins using ECP) to avoid clicking unsolicited Exchange links; note that restricting OWA externally will affect remote mailbox users, and CSP tuning on Exchange can break legitimate add-ins, so test before broad rollout.

CVE-2020-17132 CRITICAL POC
9.1 Dec 10

Microsoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote

CVE-2022-23277 HIGH POC
8.8 Mar 09

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2021-42321 HIGH POC
8.8 Nov 10

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2020-16875 HIGH POC
8.4 Sep 11

<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume

CVE-2021-28481 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-28480 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2018-0986 HIGH POC
8.8 Apr 04

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci

CVE-2018-16793 HIGH POC
8.6 Sep 21

Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame

CVE-2019-0724 HIGH POC
8.1 Mar 05

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of

CVE-2023-36745 HIGH POC
8.0 Sep 12

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low

CVE-2013-0418 MEDIUM
6.8 Jan 17

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows

CVE-2021-33766 HIGH POC
7.3 Jul 14

Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re

Share

CVE-2026-47631 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy