CVE-2026-45501 - Vulnerability Details

- Microsoft Exchange Server Spoofing Vulnerability

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Published: 2026-06-09

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Microsoft Exchange Server is vulnerable to an improper neutralization of input during web page generation, known as cross‑site scripting. This flaw allows an unauthorized attacker to inject malicious content that the server renders, leading to spoofing of messages or identities over the network.

Affected Systems

The vulnerability affects Microsoft Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Update 14, Exchange Server 2019 Cumulative Update 15, and Exchange Server Subscription Edition RTM. All listed versions remain vulnerable until the corresponding cumulative update or patch for CVE‑2026‑45501 is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is less than 1% (approximately 0.00297), and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is expected to be network‑based, with an attacker sending HTTP or HTTPS requests containing malicious payloads that trigger the cross‑site scripting flaw. Upon exploitation, the server can produce content that deceives users or devices into accepting spoofed identities or communications. Because the flaw does not require the attacker to have pre‑existing credentials, the risk is higher for systems that expose web services to untrusted networks, but patching remains the most effective mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 23

affected

Version	Status	Constraints
`15.01.0.0`	affected	< 15.01.2507.069

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 14

affected

Version	Status	Constraints
`15.02.0.0`	affected	< 15.02.1544.041

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 15

affected

Version	Status	Constraints
`15.02.0.0`	affected	< 15.02.1748.046

Microsoft

Microsoft Exchange Server Subscription Edition RTM

affected

Version	Status	Constraints
`15.02.0.0`	affected	< 15.02.2562.043

Configuration 1 [-]

OR	cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23::::::
	cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_14::::::
	cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_15::::::
	cpe:2.3:a:microsoft:exchange_server_subscription_edition::::::::

No data.

Vendor Product Confidence Versions

Microsoft

Exchange Server 2016

100%

Version	Status	Scheme	Platform
`[15.01.0.0,15.01.2507.069)`	affected	generic	['x64-based_systems']

Microsoft

Exchange Server 2019

100%

Version	Status	Scheme	Platform
`[15.02.0.0,15.02.1544.041)`	affected	generic	['x64-based_systems']
`[15.02.0.0,15.02.1748.046)`	affected	generic	['x64-based_systems']

Microsoft

Exchange Server Se

100%

Version	Status	Scheme	Platform
`[15.02.0.0,15.02.2562.043)`	affected	generic	['x64-based_systems']

Microsoft

Microsoft Exchange Server 2016 Cumulative Update 23

100%

Version	Status	Scheme	Platform
`[15.01.0.0,15.01.2507.069)`	affected	generic	['x64-based_systems']

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 14

100%

Version	Status	Scheme	Platform
`[15.02.0.0,15.02.1544.041)`	affected	generic	['x64-based_systems']

Microsoft

Microsoft Exchange Server 2019 Cumulative Update 15

100%

Version	Status	Scheme	Platform
`[15.02.0.0,15.02.1748.046)`	affected	generic	['x64-based_systems']

Microsoft

Microsoft Exchange Server Subscription Edition Rtm

100%

Version	Status	Scheme	Platform
`[15.02.0.0,15.02.2562.043)`	affected	generic	['x64-based_systems']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest cumulative update for the affected Exchange Server version or apply the specific patch released for CVE‑2026‑45501
If patching cannot be performed immediately, restrict external web access to the Exchange web services and enforce strict input validation or request filtering to mitigate cross‑site scripting exploitation
Ensure the Exchange service is not exposed to untrusted networks and consider disabling legacy authentication endpoints that may broaden the attack surface

Generated by OpenCVE AI on June 18, 2026 at 03:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00308.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45501

History

Mon, 15 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft exchange Server Microsoft exchange Server Subscription Edition
Weaknesses		CWE-79
CPEs		cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:::::: cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_14:::::: cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_15:::::: cpe:2.3:a:microsoft:exchange_server_subscription_edition::::::::
Vendors & Products		Microsoft exchange Server Microsoft exchange Server Subscription Edition

Tue, 09 Jun 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description	Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to perform spoofing over a network.	Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Tue, 09 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft microsoft Exchange Server 2016 Cumulative Update 23 Microsoft microsoft Exchange Server 2019 Cumulative Update 14 Microsoft microsoft Exchange Server 2019 Cumulative Update 15 Microsoft microsoft Exchange Server Subscription Edition Rtm
Vendors & Products		Microsoft microsoft Exchange Server 2016 Cumulative Update 23 Microsoft microsoft Exchange Server 2019 Cumulative Update 14 Microsoft microsoft Exchange Server 2019 Cumulative Update 15 Microsoft microsoft Exchange Server Subscription Edition Rtm
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description	Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.	Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to perform spoofing over a network.

Tue, 09 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Title		Microsoft Exchange Server Spoofing Vulnerability
First Time appeared		Microsoft Microsoft exchange Server 2016 Microsoft exchange Server 2019 Microsoft exchange Server Se
Weaknesses		CWE-918
CPEs		cpe:2.3:a:microsoft:exchange_server_2016::cumulative_update_23::::::* cpe:2.3:a:microsoft:exchange_server_2019::cumulative_update_14::::::* cpe:2.3:a:microsoft:exchange_server_2019::cumulative_update_15::::::* cpe:2.3:a:microsoft:exchange_server_se::RTM::::::*
Vendors & Products		Microsoft Microsoft exchange Server 2016 Microsoft exchange Server 2019 Microsoft exchange Server Se
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45501
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft Exchange Server Exchange Server 2016 Exchange Server 2019 Exchange Server Se Exchange Server Subscription Edition Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 Microsoft Exchange Server Subscription Edition Rtm

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-06-09T17:04:45.533Z

Updated: 2026-06-26T19:40:53.506Z

Reserved: 2026-05-12T16:07:22.619Z

Link: CVE-2026-45501

Vulnrichment

Updated: 2026-06-09T19:52:36.989Z

NVD

Status : Analyzed

Published: 2026-06-09T17:17:25.880

Modified: 2026-06-15T19:27:20.207

Link: CVE-2026-45501

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T04:00:15Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object