CVE-2026-42897
CVE-2026-42897 is a reflected cross-site scripting (XSS) vulnerability in the Outlook Web Access (OWA) component of Microsoft Exchange Server. The root cause is improper neutralization of user-supplied input during web page generation (CWE-79). An unauthenticated attacker can exploit this vulnerability by sending a specially crafted email to a target user. When the recipient opens the email in OWA, attacker-controlled JavaScript is executed within the victim's authenticated browser session. This can result in session token capture, identity spoofing, and unauthorized access to the victim's mailbox. At the moment of writing (2026-05-18), no security update is currently available. Microsoft has deployed an emergency mitigation (M2) via the Exchange Emergency Mitigation Service (EEMS). On systems with EEMS enabled, this mitigation is applied automatically. Administrators are advised to verify that mitigation M2 is active on all affected systems. For systems without EEMS enabled, manual application of the mitigation using the Exchange On-premises Mitigation Tool is recommended.
EPSS 7.86% · 92.2th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Microsoft Exchange Server 2016, 2019, and Subscription Edition |
Timeline
- May 14, 2026 PoC Published
- May 14, 2026 CVE Published
- May 14, 2026 PoC Published
- May 14, 2026 PoC Published
- May 14, 2026 PoC Published
- May 14, 2026 PoC Published
- May 14, 2026 PoC Published
- May 14, 2026 PoC Published
- May 15, 2026 CISA KEV Added
- May 15, 2026 PoC Published
- May 15, 2026 PoC Published
- May 15, 2026 PoC Published
References
- https://ccb.belgium.be/advisories/warning-cross-site-scripting-microsoft-exchange-server-can-be-exploited-perform-spoofing advisory
- https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498 vendor
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42897 vendor
- https://nvd.nist.gov/vuln/detail/CVE-2026-42897 technical