May 2026: Microsoft Exchange Server Spoofing Vulnerability
CVE-2026-42897 Published on May 14, 2026

Microsoft Exchange Server Spoofing Vulnerability
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Vendor Advisory NVD

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-42897 has been classified to as a XSS vulnerability or weakness.

Products Associated with CVE-2026-42897

Want to know whenever a new CVE is published for Microsoft products? stack.watch will email you.

Microsoft Exchange Server 2016

Microsoft Exchange Server 2019

Microsoft Exchange Server Se

Affected Versions

Microsoft Exchange Server 2016 Cumulative Update 23:

Version - is affected.

Microsoft Exchange Server 2019 Cumulative Update 14:

Version - is affected.

Microsoft Exchange Server 2019 Cumulative Update 15:

Version - is affected.

Microsoft Exchange Server Subscription Edition RTM:

Version - is affected.

May 2026: Microsoft Exchange Server Spoofing VulnerabilityCVE-2026-42897 Published on May 14, 2026

Weakness Type

What is a XSS Vulnerability?

Products Associated with CVE-2026-42897

Affected Versions

May 2026: Microsoft Exchange Server Spoofing Vulnerability
CVE-2026-42897 Published on May 14, 2026