Cross-Site Scripting Vulnerability in Microsoft Exchange Server
CVE-2026-42897

8.1HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Exchange Server 2016 Cumulative Update 23; Microsoft Exchange Server 2019 Cumulative Update 14; Microsoft Exchange Server 2019 Cumulative Update 15; Microsoft Exchange Server Subscription Edition Rtm
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-42897?

An XSS vulnerability exists in Microsoft Exchange Server due to improper input neutralization during web page generation. This flaw can be exploited by attackers to perform spoofing attacks, potentially leading to unauthorized access or malicious actions over a network. It is essential for users to apply the necessary patches and follow security best practices to mitigate the risks associated with this vulnerability.

Affected Version(s)

Microsoft Exchange Server 2016 Cumulative Update 23 x64-based Systems -

Microsoft Exchange Server 2019 Cumulative Update 14 x64-based Systems -

Microsoft Exchange Server 2019 Cumulative Update 15 x64-based Systems -

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42897 Data

JSON