Microsoft Exchange Server Server-Side Request Forgery

Publication date: 2026-06-09

Last updated on: 2026-06-15

Assigner: Microsoft Corporation

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-15

Generated

2026-06-30

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-45501

EUVD

EUVD-2026-35677

Affected Vendors & Products

Vendor	Product	Version / Range
microsoft	exchange_server	2016
microsoft	exchange_server	2019
microsoft	exchange_server	2019
microsoft	exchange_server_subscription_edition	to 15.02.2562.043 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-918	The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-79	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

Executive Summary

This vulnerability is a type of cross-site scripting (XSS) in Microsoft Exchange Server caused by improper neutralization of input during web page generation. It allows an unauthorized attacker to perform spoofing over a network.

Impact Analysis

The vulnerability can be exploited to perform spoofing attacks over a network, potentially allowing attackers to impersonate legitimate users or services. This can lead to unauthorized access or manipulation of information.

Hi! I’m here to help you understand CVE-2026-45501. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70