SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-55008 2026-07-14

CVE-2026-55008: Critical Cross-Site Scripting Flaw in Microsoft Exchange Server

"Microsoft Exchange Server contains a critical cross-site scripting vulnerability (CVSS 9.6) that lets an unauthenticated attacker perform network-based spoofing when a user is lured into interacting with malicious input."

Microsoft Exchange Server contains a critical cross-site scripting vulnerability (CVSS 9.6) that lets an unauthenticated attacker perform network-based spoofing when a user is lured into interacting with malicious input.

What Is It

CVE-2026-55008 is an improper neutralization of input during web page generation, a classic cross-site scripting (XSS) weakness, tracked as CWE-79. According to Microsoft, the flaw in Microsoft Exchange Server "allows an unauthorized attacker to perform spoofing over a network." The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, meaning it is remotely reachable, low in complexity, and requires no privileges, though it does require user interaction. Its scope is marked as Changed, reflecting impact beyond the initially vulnerable component.

Why It Matters

With a base score of 9.6 (CRITICAL), this is among the most severe classes of Exchange vulnerabilities. The combination of network attack vector, no required privileges, and high confidentiality, integrity, and availability impacts makes it a strong candidate for phishing-style attacks against Exchange users. Exchange servers are high-value targets that frequently sit at the perimeter of enterprise mail infrastructure, so a spoofing-capable XSS carries outsized risk. Note: the supplied CISA KEV data is empty, so there is no confirmed active exploitation for this CVE at the time of writing.

What's Vulnerable

The following Microsoft Exchange Server builds on x64-based systems are affected:

Patch Status

The CVE was published on 2026-07-14 and its NVD status is Awaiting Analysis. Microsoft has issued guidance through its MSRC update guide. Administrators should update affected Exchange builds to at or above the fixed versions listed above. No CISA KEV entry (and therefore no associated required-action deadline) was provided in the source material.

Sources