ACCORDING to CISA, the Known Exploited Vulnerabilities (KEV) Catalog currently lists a single entry: CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability that can allow arbitrary JavaScript to be executed in the browser context during web page generation in Outlook Web Access. The entry notes that the vulnerability is “Unknown” for whether it has been used in ransomware campaigns.
Date Added is 15 May 2026, with a due date of 29 May 2026, and the recommended action is to apply mitigations per vendor instructions, follow applicable guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Related resources include Microsoft’s update guide and the NVD entry for CVE-2026-42897. This KEV listing highlights the need for timely remediation of exposed Exchange Server deployments to reduce potential exploitation.