1. Home
  2. Vulnerabilities
  3. CVE-2026-42897
Known Exploited Vulnerability
8.1
HIGH CVSS 3.1
CVE-2026-42897
Microsoft Exchange Server Cross-Site Scripting Vulnerability - [Actively Exploited]
Overview
Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Details
INFO

Published Date :

May 14, 2026, 6:16 p.m.

Last Modified :

May 15, 2026, 7:35 p.m.

Remotely Exploit :

No

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known Ransomware Campaign Use:

Unknown

Notes :

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897 ; https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service ; https://nvd.nist.gov/vuln/detail/CVE-2026-42897

Impact
Affected Products

The following products are affected by CVE-2026-42897 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Microsoft exchange_server
2 Microsoft exchange_server_se
3 Microsoft exchange_server_2019
4 Microsoft exchange_server_2016
: Total Affected Vendor : 1 | Products : 4
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH f38d906d-7342-40ea-92c1-6c4a2c6478c8
CVSS 3.1 HIGH [email protected]
CVSS 3.1 MEDIUM [email protected]
Public PoC/Exploit Available at Github

CVE-2026-42897 has a 2 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-42897.

URL Resource
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897 Mitigation Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42897 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-42897 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-42897 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
elbelicojackson-hue/haking-code-

None

TypeScript Batchfile JavaScript Dockerfile HTML CSS Shell PowerShell Go PLpgSQL

Updated: 1 week, 3 days ago
33 stars 6 fork 6 watcher
Born at : May 21, 2026, 1:12 p.m. This repo has been linked 7 different CVEs too.
Profile Photo
atiilla/CVE-2026-42897

CVE-2026-42897 - Exchange Health Checker blind spot: outbound IIS URL Rewrite rules silently ignored, making EOMT mitigations invisible in diagnostic reports.

PowerShell

Updated: 2 weeks, 5 days ago
1 stars 1 fork 1 watcher
Born at : May 15, 2026, 11:24 a.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-42897 vulnerability anywhere in the article.

  • Proofpoint
More CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild

Executive Summary The CVE Landscape Has Changed. The Threat Actors Haven't. Proofpoint's dual telemetry streams — targeted attack visibility covering hundreds of millions of messages daily, and a glob ... Read more

Published Date: May 27, 2026 (1 week ago)
  • The Hacker News
Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software

Anthropic on Friday disclosed that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most "systemically" important software across the ... Read more

Published Date: May 23, 2026 (1 week, 5 days ago)
  • The Hacker News
LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root

A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to ... Read more

Published Date: May 23, 2026 (1 week, 5 days ago)
  • The Hacker News
Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, based o ... Read more

Published Date: May 23, 2026 (1 week, 5 days ago)
  • The Hacker News
CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog, ... Read more

Published Date: May 22, 2026 (1 week, 6 days ago)
  • The Hacker News
Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access

Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. Tracked as CVE-2026-20223 (CV ... Read more

Published Date: May 22, 2026 (1 week, 6 days ago)
  • The Hacker News
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild. The former, tracked as CVE-2026-41091, is rated 7.8 on the ... Read more

Published Date: May 21, 2026 (2 weeks ago)
  • The Hacker News
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros

Cybersecurity researchers have disclosed details of a vulnerability in the Linux kernel that remained undetected for nine years. The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a ca ... Read more

Published Date: May 21, 2026 (2 weeks ago)
  • The Hacker News
Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or infor ... Read more

Published Date: May 21, 2026 (2 weeks ago)
  • The Hacker News
Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit

Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. The zero-day flaw, now tracked as CVE-2026-45585, carries a C ... Read more

Published Date: May 20, 2026 (2 weeks, 1 day ago)
  • The Hacker News
SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access

Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enabl ... Read more

Published Date: May 19, 2026 (2 weeks, 2 days ago)
  • TheCyberThrone
Pwn2Own Berlin 2026 a Detailed Report

The curtain has fallen on Pwn2Own Berlin 2026. Three days. 47 unique zero-day vulnerabilities. $1,298,250 in total payouts. And a competition that, for the first time in its 19-year history, ran out o ... Read more

Published Date: May 18, 2026 (2 weeks, 2 days ago)
  • CybersecurityNews
CISA Warns of Microsoft Exchange Server Vulnerability Exploited in Attacks

CISA has issued a fresh warning about a newly disclosed Microsoft Exchange Server vulnerability that is already being exploited in real-world attacks, raising concerns for organizations relying on on- ... Read more

Published Date: May 18, 2026 (2 weeks, 3 days ago)
  • The Hacker News
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems

Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma, has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw ... Read more

Published Date: May 18, 2026 (2 weeks, 3 days ago)
  • TheCyberThrone
CVE-2026-42945 — NGINX Heap Buffer Overflow RCE

CVE: CVE-2026-42945CVSS: 9.2 — CriticalVendor: NGINX / F5Affected Versions: 0.6.27 through 1.30.0Vulnerability Type: Heap Buffer OverflowImpact: Unauthenticated Remote Code ExecutionPoC Available: Yes ... Read more

Published Date: May 17, 2026 (2 weeks, 4 days ago)
  • The Hacker News
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE

A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck. The vulnerability, tracked ... Read more

Published Date: May 17, 2026 (2 weeks, 4 days ago)
  • TheCyberThrone
Fortinet Patch Tuesday – May 2026

OverviewFortinet published 11 advisories on Patch Tuesday describing as many bugs, including two dealing with critical-severity code execution security defects. While the company did not tag these two ... Read more

Published Date: May 16, 2026 (2 weeks, 5 days ago)
  • Daily CyberSecurity
CVSS 10 Alert: Quest KACE SMA Auth Bypass Exploited to Hijack Managed Endpoints

Detailed listing of tools and scripts within the exposed C2 directory | Image: Hunt Cybersecurity researchers have just dropped a report on a critical “management plane” threat that has spent the last ... Read more

Published Date: May 16, 2026 (2 weeks, 5 days ago)
  • TheCyberThrone
CVE-2026-42897 — Microsoft Exchange Server OWA XSS Vulnerability

OverviewMicrosoft has confirmed active exploitation of CVE-2026-42897, a Cross-Site Scripting vulnerability in Microsoft Exchange Server carrying a CVSS score of 8.1.The flaw stems from improper neutr ... Read more

Published Date: May 15, 2026 (2 weeks, 5 days ago)
  • security.nl
Microsoft Exchange-servers aangevallen via kritiek cross-site scripting-lek

Aanvallers maken actief misbruik van een kritiek cross-site scripting-lek in Microsoft Exchange Server, zo waarschuwt Microsoft. Beveiligingsupdates zijn nog niet beschikbaar, wel een tijdelijke mitig ... Read more

Published Date: May 15, 2026 (2 weeks, 6 days ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-42897 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    May. 15, 2026

    Action Type Old Value New Value
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42897 Types: US Government Resource
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    May. 15, 2026

    Action Type Old Value New Value
    Added Date Added 2026-05-15
    Added Due Date 2026-05-15
    Added Required Action 2026-05-15
    Added Vulnerability Name 2026-05-15
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    May. 15, 2026

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42897
  • Initial Analysis by [email protected]

    May. 15, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    Added CPE Configuration OR *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_6:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_1:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_5:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_2:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_7:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:-:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_3:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_4:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_13:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_14:*:*:*:*:*:* *cpe:2.3:a:microsoft:exchange_server:-:*:*:*:subscription:*:*:*
    Added Reference Type Microsoft Corporation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897 Types: Mitigation, Vendor Advisory
  • New CVE Received by [email protected]

    May. 14, 2026

    Action Type Old Value New Value
    Added Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
    Added CWE CWE-79
    Added Reference https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 8.1
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact