High severity8.1CISA KEVNVD Advisory· Published May 14, 2026· Updated May 15, 2026
CVE-2026-42897
CVE-2026-42897
Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897nvdMitigationVendor Advisory
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource
News mentions
6- Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange ServersInfosecurity Magazine · May 15, 2026
- Microsoft Warns of Exchange Server Zero-Day Exploited in the WildSecurityWeek · May 15, 2026
- Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897)Help Net Security · May 15, 2026
- Microsoft warns of Exchange zero-day flaw exploited in attacksBleepingComputer · May 15, 2026
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted EmailThe Hacker News · May 15, 2026
- CISA Adds One Known Exploited Vulnerability to CatalogCISA Alerts