CVE-2026-42897CISA KEV: Actively Exploited

Microsoft Exchange Server Cross-Site Scripting Vulnerability

Published May 15, 2026·Updated May 15, 2026

Description

Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.

Public Exploits & PoCs1 found

[POC] CVE-2026-42897 — CVE-2026-42897

CVE-2026-42897 - Exchange Health Checker blind spot: outbound IIS URL Rewrite rules silently ignored, making EOMT mitigations invisible in diagnostic reports.

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Start monitoring free