Exchange Server
by Microsoft
CVEs (233)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-0029 | Med | 0.40 | 6.1 | 0.08 | Jan 13, 2016 | Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2016 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Exchange Spoofing Vulnerability," a different vulnerability than CVE-2016-0031. | ||
| CVE-2016-0028 | Med | 0.38 | 5.5 | 0.23 | Jun 16, 2016 | Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, and Cumulative Update 12 and 2016 Gold and Cumulative Update 1 does not properly restrict loading of IMG elements, which makes it easier for remote attackers to track users via a crafted HTML… | ||
| CVE-2018-0941 | Med | 0.37 | 5.5 | 0.13 | Mar 14, 2018 | Microsoft Exchange Server 2016 Cumulative Update 7 and Microsoft Exchange Server 2016 Cumulative Update 8 allow an information disclosure vulnerability due to how data is imported, aka "Microsoft Exchange Information Disclosure Vulnerability". This CVE is unique from… | ||
| CVE-2025-25007 | Med | 0.35 | 5.3 | 0.01 | Aug 12, 2025 | Improper validation of syntactic correctness of input in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2025-25006 | Med | 0.35 | 5.3 | 0.01 | Aug 12, 2025 | Improper handling of additional special element in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2018-8448 | Med | 0.35 | 5.4 | 0.03 | Oct 10, 2018 | An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server. | ||
| CVE-2018-8159 | Med | 0.35 | 5.4 | 0.03 | May 9, 2018 | An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server. | ||
| CVE-2018-8153 | Med | 0.35 | 5.4 | 0.03 | May 9, 2018 | A spoofing vulnerability exists in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Spoofing Vulnerability." This affects Microsoft Exchange Server. | ||
| CVE-2018-8152 | Med | 0.35 | 5.4 | 0.03 | May 9, 2018 | An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server. | ||
| CVE-2017-11761 | Med | 0.35 | 5.3 | 0.07 | Sep 13, 2017 | Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016 allow an input sanitization issue with Microsoft Exchange that could potentially result in unintended Information Disclosure, aka "Microsoft Exchange Information Disclosure Vulnerability" | ||
| CVE-2025-64667 | Med | 0.34 | 5.3 | 0.01 | Dec 9, 2025 | User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2026-45502 | Med | 0.33 | 5.0 | 0.00 | Jun 9, 2026 | Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network. | ||
| CVE-2022-41040 | 0.29 | — | 1.00 | KEV | Oct 3, 2022 | Microsoft Exchange Server Elevation of Privilege Vulnerability | ||
| CVE-2021-34523 | 0.29 | — | 1.00 | KEV | Jul 14, 2021 | Microsoft Exchange Server Elevation of Privilege Vulnerability | ||
| CVE-2021-34473 | 0.29 | — | 1.00 | KEV | Jul 14, 2021 | Microsoft Exchange Server Remote Code Execution Vulnerability | ||
| CVE-2021-31207 | 0.29 | — | 1.00 | KEV | May 11, 2021 | Microsoft Exchange Server Security Feature Bypass Vulnerability | ||
| CVE-2021-27065 | 0.29 | — | 1.00 | KEV | Mar 2, 2021 | Microsoft Exchange Server Remote Code Execution Vulnerability | ||
| CVE-2021-26855 | 0.29 | — | 1.00 | KEV | Mar 2, 2021 | Microsoft Exchange Server Remote Code Execution Vulnerability | ||
| CVE-2020-0688 | 0.29 | — | 1.00 | KEV | Feb 11, 2020 | A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'. | ||
| CVE-2018-8151 | Med | 0.29 | 4.3 | 0.08 | May 9, 2018 | An information disclosure vulnerability exists when Microsoft Exchange improperly handles objects in memory, aka "Microsoft Exchange Memory Corruption Vulnerability." This affects Microsoft Exchange Server. This CVE ID is unique from CVE-2018-8154. |
- risk 0.40cvss 6.1epss 0.08
Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2016 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Exchange Spoofing Vulnerability," a different vulnerability than CVE-2016-0031.
- risk 0.38cvss 5.5epss 0.23
Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, and Cumulative Update 12 and 2016 Gold and Cumulative Update 1 does not properly restrict loading of IMG elements, which makes it easier for remote attackers to track users via a crafted HTML…
- risk 0.37cvss 5.5epss 0.13
Microsoft Exchange Server 2016 Cumulative Update 7 and Microsoft Exchange Server 2016 Cumulative Update 8 allow an information disclosure vulnerability due to how data is imported, aka "Microsoft Exchange Information Disclosure Vulnerability". This CVE is unique from…
- risk 0.35cvss 5.3epss 0.01
Improper validation of syntactic correctness of input in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
- risk 0.35cvss 5.3epss 0.01
Improper handling of additional special element in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
- risk 0.35cvss 5.4epss 0.03
An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server.
- risk 0.35cvss 5.4epss 0.03
An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server.
- risk 0.35cvss 5.4epss 0.03
A spoofing vulnerability exists in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Spoofing Vulnerability." This affects Microsoft Exchange Server.
- risk 0.35cvss 5.4epss 0.03
An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server.
- risk 0.35cvss 5.3epss 0.07
Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016 allow an input sanitization issue with Microsoft Exchange that could potentially result in unintended Information Disclosure, aka "Microsoft Exchange Information Disclosure Vulnerability"
- risk 0.34cvss 5.3epss 0.01
User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
- risk 0.33cvss 5.0epss 0.00
Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.
- risk 0.29cvss —epss 1.00
Microsoft Exchange Server Elevation of Privilege Vulnerability
- risk 0.29cvss —epss 1.00
Microsoft Exchange Server Elevation of Privilege Vulnerability
- risk 0.29cvss —epss 1.00
Microsoft Exchange Server Remote Code Execution Vulnerability
- risk 0.29cvss —epss 1.00
Microsoft Exchange Server Security Feature Bypass Vulnerability
- risk 0.29cvss —epss 1.00
Microsoft Exchange Server Remote Code Execution Vulnerability
- risk 0.29cvss —epss 1.00
Microsoft Exchange Server Remote Code Execution Vulnerability
- risk 0.29cvss —epss 1.00
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
- risk 0.29cvss 4.3epss 0.08
An information disclosure vulnerability exists when Microsoft Exchange improperly handles objects in memory, aka "Microsoft Exchange Memory Corruption Vulnerability." This affects Microsoft Exchange Server. This CVE ID is unique from CVE-2018-8154.
Page 3 of 12