Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Network XSS needing victim rendering (UI:R) with no auth (PR:N); scope change (S:C) into the user session; high confidentiality from session/data theft, limited integrity via spoofing, no availability impact.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Stored/reflected cross-site scripting in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets a network-based, unauthenticated attacker inject malicious script that executes in a victim's browser session, enabling spoofing and - per the scope-changed CVSS 9.6 vector - high impact to confidentiality, integrity, and availability of resources beyond the vulnerable component. Exploitation requires the target to view attacker-controlled content (UI:R). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to render attacker-controlled content in the Exchange web interface (UI:R in the CVSS vector) - for example opening a crafted message or navigating to a malicious OWA/ECP page - so it is not zero-click. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 9.6 (Critical) driven by AV:N (network), AC:L (low complexity), PR:N (no privileges), UI:R (user interaction required), and S:C with C:H/I:H/A:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts an email or web request containing malicious HTML/JavaScript that Exchange fails to neutralize when generating an OWA page; when a mailbox user opens the message or view in their browser, the script executes in the Exchange web origin, allowing session token theft, spoofed content, or actions performed as the victim. Because AC is low and no authentication is needed to deliver the payload, the main barrier is convincing the victim to render the content (UI:R). … |
| Remediation | Patch available per vendor advisory: apply the Microsoft security update for your Exchange build (2016 CU23, 2019 CU14, 2019 CU15, or Subscription Edition RTM) as documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55008 - the exact fixed build numbers are listed in that MSRC entry and should be applied to every affected server and cumulative update level. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all Microsoft Exchange Server instances running versions 2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM across your organization. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials
Remote code execution in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets an aut
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44026
GHSA-xpfg-cjj6-56wx