Vulnerability intelligence
CVE-2026-42897
Microsoft Exchange Server Cross-Site Scripting Vulnerability
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
CVSS Score
8.1
High
EPSS — Exploit Probability
7.9%
Riskier than 92% of all CVEs
Exploitation
Confirmed in the wild
Used in ransomware campaigns
Remediation
Patch available
Federal deadline 2026-05-29
CISA required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2026-05-29.
10 articles across 7 outlets · first covered May 15, 2026 · latest May 18, 2026
Associated threat actors
Coverage timeline
-
Microsoft Exchange Zero-Day Under Attack, No Patch Availablewww.darkreading.com · May 18, 2026
-
Microsoft Exchange zero day bug exploited in the wildthehackernews.com · May 18, 2026
-
CISA flags Exchange zero day flaw CVE-2026-42897 in KEV listsecurityaffairs.com · May 16, 2026
-
CISA adds Exchange XSS flaw CVE‑2026‑42897 to KEV listwww.cisa.gov · May 15, 2026
-
CISA flags CVE‑2026‑42897 in Exchange, urges immediate patchcisa.gov · May 15, 2026
-
CISA Adds MS Exchange XSS Flaw CVE-2026-42897 to KEV Catalogwww.cisa.gov · May 15, 2026
-
CVE-2026-42897: Microsoft warns of active Exchange XSS flawsecurityaffairs.com · May 15, 2026
-
Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Serverswww.infosecurity-magazine.com · May 15, 2026
-
Microsoft warns of zero day Exchange flaw CVE-2026-42897www.securityweek.com · May 15, 2026
-
Microsoft patches Exchange Server XSS spoof flaw CVE-2026-42897thehackernews.com · May 15, 2026