Skip to main content

Microsoft Exchange Server EUVDEUVD-2026-35676

| CVE-2026-45500 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 secure@microsoft.com GHSA-qcvw-gcv7-757q
6.1
CVSS 3.1 · NVD
Temporal: 5.3
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
5.3 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 19:42 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Cross-site scripting in Microsoft Exchange Server's web interface enables unauthenticated remote attackers to perform spoofing attacks against users of Exchange Server 2016, 2019, and Subscription Edition. The CVSS vector (PR:N/UI:R/S:C) indicates no attacker authentication is required, but a victim must interact with a crafted link, and the Changed Scope means injected scripts can cross browser security boundaries within the Exchange session. No public exploit has been identified at time of analysis, and vendor-released patches are available addressing all affected cumulative update branches.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that one or more Exchange Server web components - most likely Outlook Web App (OWA), Exchange Admin Center (EAC), or Exchange Control Panel (ECP) - fail to sanitize user-supplied input before embedding it in HTML responses. The Changed Scope (S:C) in the CVSS vector is characteristic of reflected XSS where script execution occurs in the victim's browser context, potentially accessing resources beyond the immediate vulnerable endpoint, such as Exchange mailbox data or administrative session tokens. Affected products span Exchange 2016 CU23 (build line 15.01.x), Exchange 2019 CU14 and CU15 (build line 15.02.x), and Exchange Server Subscription Edition RTM (also 15.02.x), as identified by EUVD-2026-35676. The vulnerability was reported by secure@microsoft.com, indicating internal or coordinated disclosure.

RemediationAI

Apply the vendor-released patches: Exchange Server 2016 CU23 administrators should upgrade to build 15.01.2507.069 or later; Exchange Server 2019 CU14 administrators should upgrade to build 15.02.1544.041 or later; Exchange Server 2019 CU15 administrators should upgrade to build 15.02.1748.046 or later; and Exchange Server Subscription Edition RTM administrators should upgrade to build 15.02.2562.043 or later. Authoritative patch guidance is available at the Microsoft MSRC advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45500 and via VulDB advisory https://vuldb.com/vuln/369693. If immediate patching is not feasible, restricting access to Exchange web interfaces (OWA, EAC) to internal networks or VPN-only endpoints eliminates the external phishing delivery path - note this will impact remote webmail access for end users. Enforcing strict Content Security Policy (CSP) headers on Exchange web endpoints, where supported, can reduce XSS script execution impact as a compensating control, but CSP configuration on Exchange is limited and is not a substitute for patching.

Share

EUVD-2026-35676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy