Main Vulnerability Database Vulnerabilities #VU131560

Stored cross-site scripting in Microsoft Exchange Server - CVE-2026-42897

Published: May 15, 2026

Vulnerability identifier: #VU131560

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:A/U:Amber

CVE-ID: CVE-2026-42897

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: Microsoft

Affected software:
Microsoft Exchange Server

Detailed vulnerability description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Outlook Web Access. A remote attacker can send a specially crafted email message and execute arbitrary JavaScript code in the victim's browser once the email is viewed.

Note, the vulnerability is being actively exploited in the wild.

How to mitigate CVE-2026-42897

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897

Stored cross-site scripting in Microsoft Exchange Server - CVE-2026-42897

Detailed vulnerability description

How to mitigate CVE-2026-42897

Sources

Please verify you're human