CVE-2026-42897 - Microsoft Exchange Server Cross-Site Scripting Vulnerability
Project:Microsoft
Product:Microsoft
Date Added:2026-05-15Due Date:2026-05-29Last Updated:May 15, 2026
Vulnerability Name
Microsoft Exchange Server Cross-Site Scripting Vulnerability
Description
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
Known To Be Used in Ransomware Campaigns?
Unknown
Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional Notes
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897
https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service
https://nvd.nist.gov/vuln/detail/CVE-2026-42897
Related News Articles
Microsoft June 2026 Patch Tuesday fixes 6 zero-days, 200 flawsJune 9, 2026
Microsoft patches Exchange Server zero-day exploited in attacksJune 10, 2026
Microsoft Warns of Two Actively Exploited Defender VulnerabilitiesMay 21, 2026