Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Cross-site scripting in Microsoft Exchange Server's web interface enables unauthenticated remote attackers to perform spoofing attacks against users of Exchange Server 2016, 2019, and Subscription Edition. The CVSS vector (PR:N/UI:R/S:C) indicates no attacker authentication is required, but a victim must interact with a crafted link, and the Changed Scope means injected scripts can cross browser security boundaries within the Exchange session. No public exploit has been identified at time of analysis, and vendor-released patches are available addressing all affected cumulative update branches.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that one or more Exchange Server web components - most likely Outlook Web App (OWA), Exchange Admin Center (EAC), or Exchange Control Panel (ECP) - fail to sanitize user-supplied input before embedding it in HTML responses. The Changed Scope (S:C) in the CVSS vector is characteristic of reflected XSS where script execution occurs in the victim's browser context, potentially accessing resources beyond the immediate vulnerable endpoint, such as Exchange mailbox data or administrative session tokens. Affected products span Exchange 2016 CU23 (build line 15.01.x), Exchange 2019 CU14 and CU15 (build line 15.02.x), and Exchange Server Subscription Edition RTM (also 15.02.x), as identified by EUVD-2026-35676. The vulnerability was reported by secure@microsoft.com, indicating internal or coordinated disclosure.
RemediationAI
Apply the vendor-released patches: Exchange Server 2016 CU23 administrators should upgrade to build 15.01.2507.069 or later; Exchange Server 2019 CU14 administrators should upgrade to build 15.02.1544.041 or later; Exchange Server 2019 CU15 administrators should upgrade to build 15.02.1748.046 or later; and Exchange Server Subscription Edition RTM administrators should upgrade to build 15.02.2562.043 or later. Authoritative patch guidance is available at the Microsoft MSRC advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45500 and via VulDB advisory https://vuldb.com/vuln/369693. If immediate patching is not feasible, restricting access to Exchange web interfaces (OWA, EAC) to internal networks or VPN-only endpoints eliminates the external phishing delivery path - note this will impact remote webmail access for end users. Enforcing strict Content Security Policy (CSP) headers on Exchange web endpoints, where supported, can reduce XSS script execution impact as a compensating control, but CSP configuration on Exchange is limited and is not a substitute for patching.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35676
GHSA-qcvw-gcv7-757q