CVE-2026-42897
Published: 14 May 2026
Summary
CVE-2026-42897 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Microsoft Exchange Server. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-42897 is a cross-site scripting vulnerability arising from improper neutralization of input during web page generation, tracked under CWE-79. It affects Microsoft Exchange Server and carries a CVSS 3.1 score of 8.1 reflecting network attack vector, low complexity, no required privileges, and required user interaction, with high impact on confidentiality and integrity but none on availability.
An unauthorized attacker can exploit the flaw over a network to perform spoofing attacks against Exchange Server users. The attack requires the victim to interact with a crafted page or link, after which the attacker can achieve unauthorized access to sensitive data or perform actions under the victim's session context.
Microsoft has published guidance for the issue through its Security Response Center, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.
EPSS for the vulnerability rose from a low baseline to a peak of 0.1234 on 2026-05-16 before receding to the current value of 0.0786, signaling a temporary surge in exploitation interest shortly after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30343
Vulnerability details
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
- CWE(s)
- KEV Date Added
- 15 May 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing Exchange web interface directly enables remote exploitation (T1190) and browser session hijacking via injected scripts (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted inputs before web page generation, blocking the CWE-79 flaw exploited by CVE-2026-42897.
Filters outgoing web content to remove or encode injected scripts, mitigating the spoofing and session-context abuse possible after the input flaw is triggered.
Enables monitoring of web requests and anomalous script execution patterns that indicate active exploitation of the Exchange Server XSS vector.