The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a Microsoft Exchange Server spoofing vulnerability to its Known Exploited Vulnerabilities Catalog.
CVE-2026-42897 was added on 15 May, with CISA noting “Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access, and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context”.
The vulnerability was first published on 14 May and has a high severity CVSS score of 8.1. Microsoft, however, rates the vulnerability as critical. CVE-2026-42897 impacts the following product versions:
- Microsoft Exchange Server Subscription Edition RTM
- Microsoft Exchange Server 2019 Cumulative Update 15
- Microsoft Exchange Server 2019 Cumulative Update 14
- Microsoft Exchange Server 2016 Cumulative Update 23
Microsoft also outlined how the vulnerability can be exploited in its advisory.
“An attacker could exploit this issue by sending a specially crafted email to a user,” Microsoft said.
“If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.”
The company said it is providing a “temporary mitigation” via the Exchange Emergency Mitigation Service and is working on a “more permanent fix”.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
