SB2026051542 - Spoofing attack via stored XSS in Microsoft Exchange Server OWA

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026051542

SB2026051542 - Spoofing attack via stored XSS in Microsoft Exchange Server OWA

Published: May 15, 2026

Security Bulletin ID SB2026051542
CSH Severity
High
Patch available
NO
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Stored cross-site scripting (CVE-ID: CVE-2026-42897)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Outlook Web Access. A remote attacker can send a specially crafted email message and execute arbitrary JavaScript code in the victim's browser once the email is viewed. 

Note, the vulnerability is being actively exploited in the wild. 


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References