CVE-2026-42897
Microsoft Exchange Server Cross-Site Scripting Vulnerability
CVSS
—
No CVSS
EPSS
5.6%
p92
KEV
YES
May 15, 2026
Exploit Today
78
0-100
Published: — · Last modified: —
Product
Microsoft / Microsoft
Vulnerability
Microsoft Exchange Server Cross-Site Scripting Vulnerability
Added to KEV
May 15, 2026
Remediate by
May 29, 2026
Known ransomware use
No
Summary description
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897 ; https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service ; https://nvd.nist.gov/vuln/detail/CVE-2026-42897
No related CVEs by CWE or product.