CVE-2026-42897
Description
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
CISA KEV
- Vendor
- Microsoft
- Product
- Microsoft
- Due date
- 2026-05-29
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897 ; https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service ; https://nvd.nist.gov/vuln/detail/CVE-2026-42897
Vendor advisory: secure@microsoft.com — https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
Exploits
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| microsoft | exchange_server | - | |
| microsoft | exchange_server | 2016 | |
| microsoft | exchange_server | 2019 | |
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42897
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897 ; https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service ; https://nvd.nist.gov/vuln/detail/CVE-2026-42897
CWEs
CWE-79
Verify integrity in audit chain (admin only). AS-IS.