CVE-2026-55008 is a Microsoft Exchange Server spoofing vulnerability, identified as a cross-site scripting issue in web page generation. Microsoft rates it Critical with a CVSS v3.1 base score of 9.6 and temporal score of 8.3. The attack vector is NETWORK, attack complexity is LOW, privileges required are NONE, and user interaction is REQUIRED; scope is CHANGED and the CIA impacts are all HIGH. Microsoft says it is not publicly disclosed and not exploited, but exploitation likelihood is “Exploitation More Likely.” The FAQ states an attacker can send a specially crafted malicious email that, if opened in Outlook Web Access and certain conditions are met, causes arbitrary JavaScript execution in the browser context, making this a phishing-related webmail risk for Exchange environments. Highlights: - CVSS scores: Base 9.6 - Temporal 8.3 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Spoofing / cross-site scripting with HIGH confidentiality, HIGH integrity, and HIGH availability impacts. - Exploitation likelihood: Exploitation More Likely; NETWORK vector with LOW attack complexity, NO privileges required, and REQUIRED user interaction. - Severity for enterprise: High risk for Exchange deployments, especially user-facing OWA environments, because exploitation is network-based and email-triggered, though it requires user interaction. - Patch status: available; customer action required. Affected systems: - No products listed in the source data.