Skip to content

CVE-2026-42897: Microsoft Exchange Server with Actively Exploited XSS Vulnerability

The point: CVE-2026-42897 enables email-triggered JavaScript execution in Outlook Web Access and is already being exploited in attacks.

Microsoft has confirmed a security vulnerability (CVE-2026-42897, CVSS 8.1) that is already being actively exploited in attacks targeting on-premise Exchange Server installations. The flaw is based on insufficient validation of input during web page rendering and enables spoofing attacks via maliciously crafted emails.

The vulnerability is a Cross-Site-Scripting (XSS) flaw in Microsoft Exchange Server. According to Microsoft’s security advisory issued Thursday, insufficient sanitization of input during web display generation allows unauthorized attackers to conduct spoofing attacks over a network. The CVSS score is 8.1.

Exploitation occurs via a specially crafted email. When a user opens it in Outlook Web Access under certain interaction conditions, arbitrary JavaScript code can be executed in the browser context. The following on-premise versions are affected: Exchange Server 2016 (all patch levels), Exchange Server 2019 (regardless of update level), and Exchange Server Subscription Edition (SE) in any update version. Exchange Online is not affected.

As an interim solution, Microsoft offers the Exchange Emergency Mitigation Service, which is enabled by default and implements security automatically through URL rewrite configuration. Users should verify that this Windows service is active. For isolated systems (air-gapped), Microsoft has defined additional measures. A complete patch is being prepared.


Source: ainews-dev.lumi-systems.io · Published May 15, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.5.2.

Share on: