Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user‑supplied input during web page generation in Microsoft Exchange Server leads to a cross‑site scripting flaw (CWE‑79). The vulnerability permits an attacker to inject malicious scripts that can emulate legitimate traffic or user identities, enabling deceptive actions such as phishing. The description explicitly states that an unauthorized attacker can perform spoofing over a network. While the exact consequences beyond spoofing are not detailed, it is inferred that these scripts could facilitate phishing or other deceptive actions, thereby undermining trust.

Affected Systems

Microsoft Exchange Server 2016 is vulnerable in Cumulative Update 23, while Microsoft Exchange Server 2019 is affected in Cumulative Updates 14 and 15. The Subscription Edition at RTM release also remains impacted. All affected products are listed with their specific cumulative updates in the vendor data.

Risk and Exploitability

The CVSS score of 8.1 denotes high severity. No EPSS score is provided, and the vulnerability is not included in CISA’s KEV catalog, implying no publicly confirmed exploitation yet. The description indicates that an unauthorized attacker can exploit the flaw without authentication, suggesting that crafted requests can be sent over the network to trigger the XSS payload. Given the high severity, the lack of authentication requirement, and the potential to spoof traffic, the risk to network integrity and user trust remains significant.

Generated by OpenCVE AI on June 9, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Exchange Server cumulative update—CU23 for Exchange 2016, CU14 or CU15 for Exchange 2019, and the latest patch for the Subscription Edition.
  • For the interim, restrict Exchange web interface access to trusted IP ranges and disable legacy transport protocols if possible.
  • Deploy a web application firewall rule that blocks or sanitizes suspicious script content before it reaches Exchange web services.

Generated by OpenCVE AI on June 9, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Title Microsoft Exchange Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Exchange Server 2016 Exchange Server 2019 Exchange Server Se
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T17:50:10.832Z

Reserved: 2026-05-19T20:12:27.069Z

Link: CVE-2026-47631

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:35.173

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:30:13Z

Weaknesses