CISA added a high-severity cross-site scripting vulnerability in Microsoft Exchange Server to its Known Exploited Vulnerabilities catalog on 2026-05-15, giving federal agencies two weeks to mitigate.
What Is It
CVE-2026-42897 is an improper neutralization of input during web page generation (CWE-79) in Microsoft Exchange Server. According to CISA, the flaw lives in the Outlook Web Access page-generation path: when certain interaction conditions are met, an attacker can get arbitrary JavaScript to execute in the victim's browser context. NVD describes the resulting impact as spoofing performed over the network by an unauthorized attacker.
The Microsoft-issued CVSS 3.1 score is 8.1 (HIGH), vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, network-reachable, no privileges required, but user interaction is needed. NVD's own secondary score is 6.1 (MEDIUM) under a different vector that reflects a narrower read on confidentiality and integrity impact.
Why It Matters
Exchange OWA sits on the perimeter of nearly every enterprise that still runs on-prem mail. A reflected or stored XSS in that surface lets an attacker run script inside an authenticated user's mailbox session; credential theft, mail manipulation, and session hijacking all become reachable through a single crafted link or message. The Microsoft CVSS scoring (HIGH/HIGH for confidentiality and integrity) reflects that severity. CISA's inclusion in KEV confirms the vulnerability is being actively exploited in the wild; known ransomware use is listed as "Unknown."
What's Vulnerable
Microsoft Exchange Server, including:
- Exchange Server Subscription Edition
- Exchange Server 2016 (RTM through Cumulative Update 23)
- Exchange Server 2019 (RTM and subsequent cumulative updates)
The vulnerable surface is the Outlook Web Access component.
Patch Status
CISA's required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The federal due date is 2026-05-29. Microsoft's update guide entry for CVE-2026-42897 is the authoritative source for patches; administrators unable to patch immediately should ensure the Exchange Emergency Mitigation Service is enabled to receive interim mitigations.