ON 15 May 2026 The Hacker News reported that Microsoft has disclosed a new vulnerability in on‑premise versions of Exchange Server, tracked as CVE-2026-42897 (CVSS 8.1), described as a cross-site scripting spoofing flaw in the web page generation process. According to Microsoft, an attacker could spoof a user by sending a crafted email that, when opened in Outlook Web Access and under certain interaction conditions, allows arbitrary JavaScript to execute in the browser context.
The affected on‑premises versions include Exchange Server 2016 (any update level), Exchange Server 2019 (any update level), and Exchange Server Subscription Edition (any update level); Exchange Online is not impacted. Microsoft has issued a temporary mitigation via the Exchange Emergency Mitigation Service, which is enabled by default and applies through a URL rewrite configuration, with guidance to ensure the service is active.
If the mitigation is not feasible, Microsoft also lists a sequence of actions using the Exchange on‑premises Mitigation Tool (EOMT) to apply the CVE‑2026‑42897 mitigation on a per‑server basis or across all servers. There are currently no disclosed details on the threat actor behind exploit activity or the scale of the campaigns.