Actively exploited in the wild
Microsoft Exchange Server Cross-Site Scripting Vulnerability
Microsoft — Microsoft · Listed in the CISA KEV since 2026-05-15. This indicates confirmed attacks in production environments.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2026-42897
HighCVSS 8.1KEVExploitation Probability (EPSS)
High risk83th percentile — higher than 83% of all known CVEs
Summary
Microsoft Exchange Server has an improper neutralization of input during web page generation, leading to a cross-site scripting vulnerability. This flaw allows an unauthorized attacker to perform spoofing over a network.
Risk Assessment
An attacker could exploit this vulnerability to conduct phishing attacks or steal data, potentially leading to serious security implications for the organization.
Recommendation
It is recommended to update Microsoft Exchange Server to the latest version and implement appropriate security measures against XSS attacks.
Original NVD description (English source)
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

