CVE-2026-42897MEDIUM 8.1CISA KEVEPSS p82.7%

CVE-2026-42897Microsoft Exchange Server Cross-Site Scripting Vulnerability

Microsoft / Microsoft

Description

Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.

Scoring

CVSS 3.18.1 (MEDIUM)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS2.51% probability of exploitation · percentile 82.7% · 2026-06-21T12:00:28Z
Published2026-05-14
Last modified2026-06-15

CISA KEV entry

Added to KEV: 2026-05-15

Underlying weaknesses· 1

CWE-79

References

  1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
  2. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42897

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryMicrosoft Exchange Server Cross-Site Scripting Vulnerabilitykev-cve-2026-428970%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-47631
CVE
CVE-2026-45501
CVE
CVE-2026-45500
CVE
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE
Microsoft Exchange Server Information Disclosure Vulnerability
CVE
CVE-2026-48579
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.