ACCORDING to CISA, on 15 May 2026 the agency added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entry is CVE-2026-42897, described as a Microsoft Exchange Server Cross-Site Scripting Vulnerability. CISA notes that this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
The KEV Catalog is part of Binding Operational Directive 22-01, which requires remediation of identified vulnerabilities by due dates to protect FCEB networks, though the directive itself applies to Federal Civilian Executive Branch agencies. CISA urges all organisations to prioritise timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.