VULNERABILITY OVERVIEW
An improper input neutralization (XSS) flaw in Outlook Web Access (OWA) allows an unauthenticated attacker to send a specially crafted email that executes arbitrary JavaScript in the victim's browser when opened in OWA, enabling session hijacking and spoofing attacks. Microsoft confirmed active exploitation in the wild as of May 14, 2026, and has released temporary mitigations via the Exchange Emergency Mitigation Service (auto-applied as M2.1.x) while a permanent patch is developed. No patch is yet available; Exchange Online users are unaffected.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
REQUIRED
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:N
AFFECTED VERSIONS
Exchange Server 2016, Exchange Server 2019, Exchange Server Subscription Edition (all CU levels); Exchange Online is NOT affectedCITATIONS
- → https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
- → https://securityaffairs.com/192204/security/cve-2026-42897-microsoft-confirms-active-exploitation-of-exchange-server-zero-day.html
- → https://www.helpnetsecurity.com/2026/05/15/exchange-server-cve-2026-42897-exploited/
- → https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/