CVE Catalog

Actively exploited in the wild

Microsoft Exchange Server Cross-Site Scripting Vulnerability

Microsoft — Microsoft · Listed in the CISA KEV since 2026-05-15. This indicates confirmed attacks in production environments.

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2026-42897

HighCVSS 8.1KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
2.51%

83th percentile — higher than 83% of all known CVEs

Summary

Microsoft Exchange Server has an improper neutralization of input during web page generation, leading to a cross-site scripting vulnerability. This flaw allows an unauthorized attacker to perform spoofing over a network.

Risk Assessment

An attacker could exploit this vulnerability to conduct phishing attacks or steal data, potentially leading to serious security implications for the organization.

Recommendation

It is recommended to update Microsoft Exchange Server to the latest version and implement appropriate security measures against XSS attacks.

Original NVD description (English source)

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS