CISA has added CVE‑2026‑42897 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Microsoft Exchange Server and is identified as the Microsoft Exchange Server Cross‑Site Scripting Vulnerability. It is a cross‑site scripting issue that occurs during web page generation in Outlook Web Access when certain interaction conditions are met, allowing arbitrary JavaScript to be executed in a user’s browser.
The vulnerability is classified as a reflected/stored XSS (type not specified in the advisory) with an attack vector that requires a victim to interact with a specially crafted OWA page. Successful exploitation lets an attacker run JavaScript in the context of the victim’s browser, which can be used to hijack sessions or steal data. The CVSS base score is 8.1, rated HIGH. Microsoft has released a patch; the advisory is available via the MSRC update guide.
Because the vulnerability is being actively exploited in the wild, CISA has placed it in the KEV catalogue. No known ransomware campaign has been linked to this CVE at this time. Federal Civilian Executive Branch (FCEB) agencies must apply the required mitigations by 29 May 2026.
CISA’s required action is: “Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” While this directive binds FCEB agencies, all organisations should review their Exchange Server exposure, install the latest security update, or implement the vendor‑recommended mitigations.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-42897 and the CISA KEV catalogue at https://www.cisa.gov/known-exploited-vulnerabilities-catalogue.