Cross-Site Scripting Vulnerability in Microsoft Exchange Server
CVE-2026-42897
Key Information:
- Vendor
Microsoft
- Status
- Vendor
- CVE Published:
- 14 May 2026
Badges
What is CVE-2026-42897?
CVE-2026-42897 is a cross-site scripting (XSS) vulnerability found in Microsoft Exchange Server, a widely utilized email and calendaring platform for businesses and organizations. This vulnerability arises from the improper handling of user inputs during the generation of web pages, allowing unauthorized attackers to inject malicious scripts into web pages viewed by other users. The impact of such exploitation can be severe, as it enables attackers to perform spoofing attacks within the network, which can mislead users and compromise sensitive information. Specifically, attackers could gain the ability to mimic legitimate users, potentially resulting in unauthorized access to sensitive communications or data.
Potential impact of CVE-2026-42897
-
Spoofing Attacks: Unauthorized attackers can impersonate legitimate users, leading to potential misinformation and manipulation of user actions, which can compromise data integrity and trust within the organization.
-
Data Leakage: There is a risk of sensitive information being captured by the malicious scripts injected through the vulnerability, which can lead to data breaches and exploitation of confidential data.
-
User Distrust: Exploitation of this vulnerability can create a climate of distrust among users, as they might be skeptical about the authenticity of communications and transactions within the Exchange Server platform, damaging the reputation of the organization.
CISA has reported CVE-2026-42897
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-42897 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Microsoft Exchange Server 2016 Cumulative Update 23 x64-based Systems 15.01.0.0
Microsoft Exchange Server 2019 Cumulative Update 14 x64-based Systems 15.02.0.0
Microsoft Exchange Server 2019 Cumulative Update 15 x64-based Systems 15.02.0.0
News Articles
PcworldCVE-2026-42897Microsoft patches several zero-day vulnerabilities with emergency updates
Microsoft's May Patch Tuesday looked quiet. Since then, there's been an unpatched Exchange CVE, three Defender flaws, and a new BitLocker bypass.
2 weeks ago
TechtimesCVE-2026-42897Exchange Server OWA Zero-Day CVE-2026-42897 Exploited With No Permanent Patch and New Mitigation Gaps
Microsoft confirmed on May 14 that CVE-2026-42897 — a cross-site scripting flaw in the Outlook Web Access component of Exchange Server 2016, 2019, and Subscription Edition — is under active
2 weeks ago
Microsoft Exchange Zero-Day Under Attack, No Patch Available
CVE-2026-42897 stems from a cross-site scripting (XSS) vulnerability and can allow an attacker to compromise Outlook Web Access (OWA) mailboxes.
2 weeks ago
References
EPSS Score
10% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 🦅
CISA Reported
- 📰
First article discovered by Securityweek
- 📈
Vulnerability started trending
Vulnerability published
Vulnerability Reserved