VDB

CVE-2026-42897

CVE-2026-42897 PUBLISHED KEV CVSS 8.100000381469727 HIGH

CVE-2026-42897 is a reflected cross-site scripting (XSS) vulnerability in the Outlook Web Access (OWA) component of Microsoft Exchange Server. The root cause is improper neutralization of user-supplied input during web page generation (CWE-79). An unauthenticated attacker can exploit this vulnerability by sending a specially crafted email to a target user. When the recipient opens the email in OWA, attacker-controlled JavaScript is executed within the victim's authenticated browser session. This can result in session token capture, identity spoofing, and unauthorized access to the victim's mailbox. At the moment of writing (2026-05-18), no security update is currently available. Microsoft has deployed an emergency mitigation (M2) via the Exchange Emergency Mitigation Service (EEMS). On systems with EEMS enabled, this mitigation is applied automatically. Administrators are advised to verify that mitigation M2 is active on all affected systems. For systems without EEMS enabled, manual application of the mitigation using the Exchange On-premises Mitigation Tool is recommended.

EPSS 7.86% · 92.2th percentile

Risk Scores

CVSS 3.1
8.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score
7.86%
92.2th percentile

Affected Products

VendorProductVersions
MicrosoftMicrosoft Exchange Server 2016, 2019, and Subscription Edition

Timeline

  • May 14, 2026 PoC Published
  • May 14, 2026 CVE Published
  • May 14, 2026 PoC Published
  • May 14, 2026 PoC Published
  • May 14, 2026 PoC Published
  • May 14, 2026 PoC Published
  • May 14, 2026 PoC Published
  • May 14, 2026 PoC Published
  • May 15, 2026 CISA KEV Added
  • May 15, 2026 PoC Published
  • May 15, 2026 PoC Published
  • May 15, 2026 PoC Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›