US Public Data LabU.S. public data, made readable
EN
日本語 English
High Known exploited (KEV) CVE-2026-42897

Cross-site scripting in Microsoft Exchange Server (CVE-2026-42897) — arbitrary JavaScript execution in OWA

Microsoft Microsoft Added to KEV May 15, 2026 Federal remediation due 2026-05-29

Microsoft Exchange Server, a mail server, has a cross-site scripting (XSS) vulnerability where, during web page generation in Outlook Web Access (OWA) and under certain interaction conditions, arbitrary JavaScript can be executed in the browser context. CISA listed it as known-exploited (KEV) (CVSS 8.1 High).

Key facts

  • CVE IDCVE-2026-42897
  • CVSS base score8.1 HIGH
  • CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
  • Affected (vendor / product)Microsoft Microsoft
  • CWECWE-79
  • ExploitationListed in CISA KEV (exploitation confirmed)
  • Remediation due2026-05-29 (U.S. federal civilian agencies, BOD 22-01)

Key points

  • Cross-site scripting (CWE-79) in Microsoft Exchange Server's Outlook Web Access (OWA)
  • Under certain conditions, arbitrary JavaScript can run in the browser context
  • Can lead to session hijacking, email theft, and impersonation
  • Exchange is a high-value asset (e.g. past ProxyLogon). Listed in CISA KEV (CVSS 8.1 High)
  • Response: apply Microsoft security updates; prioritize internet-exposed OWA

CVE-2026-42897 is a cross-site scripting vulnerability (CWE-79: XSS) in Microsoft Exchange Server (a mail-server product widely used as enterprise email infrastructure). It was added to CISA's KEV catalog on May 15, 2026.

Per NVD, during web page generation in Outlook Web Access (OWA), when certain interaction conditions are met, arbitrary JavaScript can be executed in the victim's browser context. OWA is the entry point for using email from a browser; script execution there can lead to session hijacking, theft of email content, and impersonation.

Exchange Server has a history of severe vulnerabilities (such as ProxyLogon) being widely exploited, making it a high-value asset that attackers favor. While XSS by itself does not always lead to full server compromise, email infrastructure is a highly confidential target, and the KEV listing pushes for prompt action.

Key response: apply Microsoft's official security updates (Exchange generally requires cumulative updates). For cloud use, follow BOD 22-01. If OWA is internet-exposed, it is especially high priority. The federal civilian remediation deadline was May 29, 2026.

Why it matters

A vulnerability in the widely used Exchange email infrastructure that directly enables attacks via webmail (OWA). Organizations running Exchange should prioritize prompt application of cumulative security updates and review OWA exposure. It shows continued attacks on high-value assets.

FAQ

What is XSS (cross-site scripting)?
A vulnerability where an attacker's script is injected during web page generation and runs in the user's browser, which can lead to session hijacking and information theft.
What is OWA?
Outlook Web Access — the entry point for using Exchange email from a browser. Here, a script can run during page generation.
What should I do?
Apply Microsoft's official security updates. Exchange generally requires cumulative updates, and you should especially prioritize action if OWA is internet-exposed.

Related profiles

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

#Microsoft#Exchange#Email#XSS#OWA

← Back to vulnerability alerts

Disclaimer: This site independently summarizes and classifies information based on official data sources. Always verify the latest and accurate information with the official sources. Content on finance, health, legal, and security is information, not advice. This site is not an official website of the U.S. government.