Vulnerability Details CVE-2026-42897
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.079
EPSS Ranking 92.2%
CVSS Severity
CVSS v3 Score 8.1
Proposed Action
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
Ransomware Campaign
Unknown
References
Products affected by CVE-2026-42897
-
cpe:2.3:a:microsoft:exchange_server:-
-
cpe:2.3:a:microsoft:exchange_server:2016
-
cpe:2.3:a:microsoft:exchange_server:2019