CVE-2026-42897: Microsoft Exchange Server Cross-Site Scripting Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-42897CVSS 8.1CISA KEVWindows

CVE-2026-42897: Microsoft Exchange Server Cross-Site Scripting Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

CVSS
8.1 HIGH
EPSS
92.01%
Known exploited
yes
Product
Microsoft

What is known

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Sources