May 2026: Microsoft Exchange Server Spoofing Vulnerability
CVE-2026-42897 Published on May 14, 2026
Microsoft Exchange Server Spoofing Vulnerability
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Known Exploited Vulnerability
This Microsoft Exchange Server Cross-Site Scripting Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
The following remediation steps are recommended / required by May 29, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-42897 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-42897
Want to know whenever a new CVE is published for Microsoft products? stack.watch will email you.
Affected Versions
Microsoft Exchange Server 2016 Cumulative Update 23:- Version 15.01.0.0 and below publication is affected.
- Version 15.02.0.0 and below publication is affected.
- Version 15.02.0.0 and below publication is affected.
- Version 15.02.0.0 and below publication is affected.