CVE-2026-55008: Microsoft Exchange Server Spoofing Vulnerability

Overview

Severity
Critical (CVSS 9.6)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C
Category
Spoofing
Exploit Status
Not Exploited
Exploitation Likelihood
More Likely
Patch Tuesday
2026-Jul
Released
2026-07-14

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

FAQ

Microsoft recommends installing the July 2026 Security Updates for your version of Exchange Server to be protected from this vulnerability. Customers who have installed the July 2026 Security Updates on all affected Exchange servers are fully protected and may safely remove the CVE-2026-42897 mitigation (which is similar in nature and mitigates CVE-2026-55008 also). Microsoft recommends keeping the Emergency Mitigation (EM) Service enabled to receive future emergency mitigations and security protections. For additional information, please see the Exchange blog post. How could an attacker exploit this vulnerability? An attacker could exploit this issue by sending a specifically crafted malicious email to the user. If the user opens this email, in Outlook Web Access, and certain conditions are met, arbitrary execution of JavaScript would occur in the browser context.

Affected Products (4)

ESU

  • Microsoft Exchange Server 2016 Cumulative Update 23
  • Microsoft Exchange Server 2019 Cumulative Update 14
  • Microsoft Exchange Server 2019 Cumulative Update 15

Server Software

  • Microsoft Exchange Server Subscription Edition RTM

Security Updates (1)

Acknowledgments

Michael Maturi with Google

Revision History

  • 2026-07-14: Information published.