Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Microsoft Exchange Server is vulnerable to an improper neutralization of input during web page generation, known as cross‑site scripting. This flaw allows an unauthorized attacker to inject malicious content that the server renders, leading to spoofing of messages or identities over the network.

Affected Systems

The vulnerability affects Microsoft Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Update 14, Exchange Server 2019 Cumulative Update 15, and Exchange Server Subscription Edition RTM. All listed versions remain vulnerable until the corresponding cumulative update or patch for CVE‑2026‑45501 is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is expected to be network‑based, with an attacker sending HTTP or HTTPS requests containing malicious payloads that trigger the cross‑site scripting flaw. Upon exploitation, the server can produce content that deceives users or devices into accepting spoofed identities or communications. Because the flaw does not require the attacker to have pre‑existing credentials, the risk is higher for systems that expose web services to untrusted networks, but patching remains the most effective mitigation.

Generated by OpenCVE AI on June 9, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest cumulative update for the affected Exchange Server version or apply the specific patch released for CVE‑2026‑45501
  • If patching cannot be performed immediately, restrict external web access to the Exchange web services and enforce strict input validation or request filtering to mitigate cross‑site scripting exploitation
  • Ensure the Exchange service is not exposed to untrusted networks and consider disabling legacy authentication endpoints that may broaden the attack surface

Generated by OpenCVE AI on June 9, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to perform spoofing over a network. Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Tue, 09 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft microsoft Exchange Server 2016 Cumulative Update 23
Microsoft microsoft Exchange Server 2019 Cumulative Update 14
Microsoft microsoft Exchange Server 2019 Cumulative Update 15
Microsoft microsoft Exchange Server Subscription Edition Rtm
Vendors & Products Microsoft microsoft Exchange Server 2016 Cumulative Update 23
Microsoft microsoft Exchange Server 2019 Cumulative Update 14
Microsoft microsoft Exchange Server 2019 Cumulative Update 15
Microsoft microsoft Exchange Server Subscription Edition Rtm
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to perform spoofing over a network.

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Title Microsoft Exchange Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
Weaknesses CWE-918
CPEs cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Exchange Server 2016 Exchange Server 2019 Exchange Server Se Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 Microsoft Exchange Server Subscription Edition Rtm
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:49:57.925Z

Reserved: 2026-05-12T16:07:22.619Z

Link: CVE-2026-45501

cve-icon Vulnrichment

Updated: 2026-06-09T19:52:36.989Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:25.880

Modified: 2026-06-09T23:16:54.890

Link: CVE-2026-45501

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:30:05Z

Weaknesses