ThreatLevelBeta
Planned Fix

CVE-2026-42897

Cross-Site Scripting in Microsoft Exchange Server
Loading...

Summary

Microsoft Exchange Server Outlook Web Access has a cross-site scripting issue in web page generation that can be triggered by a specially crafted email. When an authenticated user opens the message in OWA and the required interaction conditions are met, attacker-controlled JavaScript can run in the browser context. Microsoft says the issue affects on-premises Exchange Server 2016, 2019, and Subscription Edition and is being actively exploited.

Why Planned Fix?

3/6
Authentication required
Mixed internet / internal deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
Not a high impact vulnerability

Exploitation Details

Type
XSS (Cross-Site Scripting)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
No
Impact

Execute attacker-controlled JavaScript in the victim's OWA browser session and impersonate the user.

Account Takeover
Exploitation Requirements
  • Authentication required
Exploitation Process

An attacker sends a specially crafted email to a target mailbox user. When the user opens the message in Outlook Web Access, the HTML content is rendered in the browser and the malicious script executes in the victim's OWA session if the required interaction conditions are met. The attacker can then use that browser context to act as the user within OWA.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Exchange Server2016, 2019, and Subscription Edition (on-premises)
Description

Microsoft Exchange Server is an on-premises email, calendaring, and collaboration platform that provides mailbox hosting, transport, and web access through Outlook Web Access.

Deployment:Commonly internet-facing
|
Protocol:HTTPS
|
Ports:443
Affected ComponentOutlook Web Access (OWA) email rendering and HTML response generation in the web mail interface.

Outlook Web Access (OWA) email rendering and HTML response generation in the web mail interface.

Affected Endpoints(1)/owa
1./owa
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Allow Microsoft Exchange Emergency Mitigation Service to apply mitigation M2 (URL Rewrite) and keep outbound access to officeclient.microsoft.com:443 so the mitigation can be fetched and refreshed.

Allow Microsoft Exchange Emergency Mitigation Service to apply mitigation M2 (URL Rewrite) and keep outbound access to officeclient.microsoft.com:443 so the mitigation can be fetched and refreshed.

learn.microsoft.com
Patch

Not available

Update

Not available

Threat Intelligence
EPSS Score12.3%

Probability of exploitation in the next 30 days

EPSS Percentile94%

Worse than 94% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
nvd.nist.gov
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

CVSS Base Score

8.1
High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-79 Cross-site Scripting (XSS)
|
NVD:CVE-2026-42897
|
Version From:
|
Version Upto:

Affected Software (CPE) (40)

  • cpe:2.3:a:microsoft:exchange_server:-:*:*:*:subscription:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:-:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_4:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_5:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_6:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_7:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_13:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_14:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*

Sources

5
SourceArticle
nvd.nist.govCVE-2026-42897 Detail
techcommunity.microsoft.comAddressing Exchange Server May 2026 vulnerability CVE-2026-42897
learn.microsoft.comExchange Emergency Mitigation Service
tenable.comCVE-2026-42897
cisa.govKnown Exploited Vulnerabilities Catalog

Priority History

Planned FixLoading...

Initial analysis