Skip to main content

Microsoft Exchange Server Subscription Edition Rtm

5 CVEs product

Monthly

CVE-2026-55009 HIGH PATCH This Week

Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an already-authenticated attacker with low privileges to elevate to higher privileges by abusing unsafe deserialization of untrusted data. Microsoft reported the flaw and has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact on the affected host.

Microsoft Deserialization Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 +1
NVD
CVSS 3.1
7.8
EPSS
1.7%
CVE-2026-55008 CRITICAL PATCH NEWS Exploit Likely Act Now

Stored/reflected cross-site scripting in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets a network-based, unauthenticated attacker inject malicious script that executes in a victim's browser session, enabling spoofing and - per the scope-changed CVSS 9.6 vector - high impact to confidentiality, integrity, and availability of resources beyond the vulnerable component. Exploitation requires the target to view attacker-controlled content (UI:R). Microsoft has released a patch; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Microsoft XSS Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 +1
NVD
CVSS 3.1
9.6
EPSS
0.7%
CVE-2026-55006 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an authenticated attacker with low-level privileges on the server to elevate to higher privileges due to insufficiently granular access controls (CWE-1220). The CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L) reflects local exploitation yielding full confidentiality, integrity, and availability impact. A vendor patch is available; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Microsoft Information Disclosure Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 +1
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-55005 HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets an authenticated attacker corrupt heap memory to run arbitrary code across the network. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) shows low-privilege network exploitation with full confidentiality, integrity, and availability impact, and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Heap Overflow Buffer Overflow Microsoft Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 +2
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-42897 MEDIUM POC KEV PATCH THREAT Exploited Act Now

Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.

XSS Microsoft Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 +1
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
Threat
5.1
EPSS 2% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an already-authenticated attacker with low privileges to elevate to higher privileges by abusing unsafe deserialization of untrusted data. Microsoft reported the flaw and has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact on the affected host.

Microsoft Deserialization Microsoft Exchange Server 2016 Cumulative Update 23 +3
NVD
EPSS 1% CVSS 9.6
CRITICAL PATCH Exploit Likely Act Now

Stored/reflected cross-site scripting in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets a network-based, unauthenticated attacker inject malicious script that executes in a victim's browser session, enabling spoofing and - per the scope-changed CVSS 9.6 vector - high impact to confidentiality, integrity, and availability of resources beyond the vulnerable component. Exploitation requires the target to view attacker-controlled content (UI:R). Microsoft has released a patch; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Microsoft XSS Microsoft Exchange Server 2016 Cumulative Update 23 +3
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an authenticated attacker with low-level privileges on the server to elevate to higher privileges due to insufficiently granular access controls (CWE-1220). The CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L) reflects local exploitation yielding full confidentiality, integrity, and availability impact. A vendor patch is available; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Microsoft Information Disclosure Microsoft Exchange Server 2016 Cumulative Update 23 +3
NVD
EPSS 1% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets an authenticated attacker corrupt heap memory to run arbitrary code across the network. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) shows low-privilege network exploitation with full confidentiality, integrity, and availability impact, and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Heap Overflow Buffer Overflow Microsoft +4
NVD
EPSS 0% 5.1 CVSS 6.1
MEDIUM POC KEV PATCH THREAT Exploited Act Now

Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.

XSS Microsoft Microsoft Exchange Server 2016 Cumulative Update 23 +3
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy