CVE- 2026-42897 describes an improper neutralisation of input during web page generation (cross-site scripting) in Microsoft Exchange Server, with Microsoft warning that attackers are actively exploiting the flaw in the wild. According to Microsoft, the vulnerability affects Outlook Web Access and can be triggered by a specially crafted email that executes malicious JavaScript when opened in Outlook Web Access under certain conditions, enabling spoofing over a network.
Microsoft has confirmed active exploitation but has not disclosed details about specific attacks. Until a permanent security update is available, temporary mitigation measures have been released and administrators are urged to apply them immediately to reduce exposure.
The issue follows Microsoft’s May 2026 Patch Tuesday, which fixed 138 vulnerabilities, underscoring the ongoing risk posed by Exchange Server zero-days due to their central role in corporate email and the potential to access internal communications, credentials, and workflows.