Microsoft Exchange Server contains a critical cross-site scripting vulnerability (CVSS 9.6) that lets an unauthenticated attacker perform network-based spoofing when a user is lured into interacting with malicious input.
What Is It
CVE-2026-55008 is an improper neutralization of input during web page generation, a classic cross-site scripting (XSS) weakness, tracked as CWE-79. According to Microsoft, the flaw in Microsoft Exchange Server "allows an unauthorized attacker to perform spoofing over a network." The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, meaning it is remotely reachable, low in complexity, and requires no privileges, though it does require user interaction. Its scope is marked as Changed, reflecting impact beyond the initially vulnerable component.
Why It Matters
With a base score of 9.6 (CRITICAL), this is among the most severe classes of Exchange vulnerabilities. The combination of network attack vector, no required privileges, and high confidentiality, integrity, and availability impacts makes it a strong candidate for phishing-style attacks against Exchange users. Exchange servers are high-value targets that frequently sit at the perimeter of enterprise mail infrastructure, so a spoofing-capable XSS carries outsized risk. Note: the supplied CISA KEV data is empty, so there is no confirmed active exploitation for this CVE at the time of writing.
What's Vulnerable
The following Microsoft Exchange Server builds on x64-based systems are affected:
- Exchange Server 2016 CU23: versions below 15.01.2507.071
- Exchange Server 2019 CU14: versions below 15.02.1544.043
- Exchange Server 2019 CU15: versions below 15.02.1748.048
- Exchange Server Subscription Edition RTM: versions below 15.02.2562.045
Patch Status
The CVE was published on 2026-07-14 and its NVD status is Awaiting Analysis. Microsoft has issued guidance through its MSRC update guide. Administrators should update affected Exchange builds to at or above the fixed versions listed above. No CISA KEV entry (and therefore no associated required-action deadline) was provided in the source material.
Sources
- MSRC Update Guide; CVE-2026-55008: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55008
- NVD, CVE-2026-55008: https://nvd.nist.gov/vuln/detail/CVE-2026-55008