CVE-2026-42897: Microsoft Exchange Server Cross-Site Scripting Vulnerability
Summary
A cross-site scripting (XSS) vulnerability exists in Microsoft Exchange Server, specifically within Outlook Web Access. Under certain conditions, this flaw allows arbitrary JavaScript execution in the user's browser context. Federal agencies are required to apply mitigations by May 29, 2026.
IFF Assessment
This vulnerability allows for arbitrary code execution, which is a direct threat to user security and data.
Severity
The CVSS score of 6.1 reflects a moderate severity. While it requires user interaction and specific conditions, it enables arbitrary JavaScript execution in the browser context, posing a risk of session hijacking or data theft.
CISA KEV: Listed as actively exploited. Federal patch due: May 29, 2026. Known ransomware use: Unknown.
Defender Context
This advisory highlights a critical XSS vulnerability in Microsoft Exchange Server that could allow attackers to execute arbitrary JavaScript in the context of a user's browser. Defenders should prioritize applying vendor-provided mitigations immediately to prevent potential session hijacking and credential theft. Continuous monitoring for suspicious activity within Outlook Web Access is also crucial.