Skip to main content

Microsoft Exchange Server CVE-2026-55008

| EUVDEUVD-2026-44026 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-07-14 microsoft GHSA-xpfg-cjj6-56wx
9.6
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
8.2 HIGH

Network XSS needing victim rendering (UI:R) with no auth (PR:N); scope change (S:C) into the user session; high confidentiality from session/data theft, limited integrity via spoofing, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 17:58 vuln.today
CVE Published
Jul 14, 2026 - 17:04 nvd
CRITICAL 9.6

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Stored/reflected cross-site scripting in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets a network-based, unauthenticated attacker inject malicious script that executes in a victim's browser session, enabling spoofing and - per the scope-changed CVSS 9.6 vector - high impact to confidentiality, integrity, and availability of resources beyond the vulnerable component. Exploitation requires the target to view attacker-controlled content (UI:R). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious HTML/script payload
Delivery
Deliver via email or OWA request
Exploit
Victim renders content in Exchange web UI
Execution
Script executes in Exchange origin
Impact
Steal session / spoof content as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to render attacker-controlled content in the Exchange web interface (UI:R in the CVSS vector) - for example opening a crafted message or navigating to a malicious OWA/ECP page - so it is not zero-click. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 9.6 (Critical) driven by AV:N (network), AC:L (low complexity), PR:N (no privileges), UI:R (user interaction required), and S:C with C:H/I:H/A:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts an email or web request containing malicious HTML/JavaScript that Exchange fails to neutralize when generating an OWA page; when a mailbox user opens the message or view in their browser, the script executes in the Exchange web origin, allowing session token theft, spoofed content, or actions performed as the victim. Because AC is low and no authentication is needed to deliver the payload, the main barrier is convincing the victim to render the content (UI:R). …
Remediation Patch available per vendor advisory: apply the Microsoft security update for your Exchange build (2016 CU23, 2019 CU14, 2019 CU15, or Subscription Edition RTM) as documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55008 - the exact fixed build numbers are listed in that MSRC entry and should be applied to every affected server and cumulative update level. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all Microsoft Exchange Server instances running versions 2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM across your organization. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy