CVE-2026-42897 – XSS Vulnerability in Microsoft Exchange (OWA)

Forum|Forum|1 month ago
May 20, 2026
2 comments
109 views

Forum|alt.badge.img

+12

Link State
Veeam Legend

Yo guys new High Vulnerability for Exchange Onprem

CVE-2026-42897 - Security Update Guide - Microsoft - Microsoft Exchange Server Spoofing Vulnerability

CVE-2026-42897 is a high-severity security vulnerability (CVSS 8.1) affecting Microsoft Exchange Server on-premises, specifically the Outlook Web Access (OWA) component.

It is a Cross-Site Scripting (XSS) flaw caused by improper handling of user input during web page generation.

An attacker can exploit this issue by sending specially crafted emails: when a victim opens the message through OWA, malicious code may execute in the browser within the user’s session context.

This can allow actions such as:

user identity spoofing
session hijacking
performing operations on behalf of the victim

The vulnerability is particularly critical because:

it has been observed in active (zero-day) exploitation scenarios
it does not require prior attacker authentication
it impacts Exchange Server 2016, 2019, and Subscription Edition (on-premises)

Forum|alt.badge.img

+7

MarcoLuvisi
VUG Leader
Forum|Forum|1 month ago
May 21, 2026

Thanks for sharing @Link State

Marco Luvisi | VUG Italy Leader | VMCE | VCP-VCAP | NCDA-NCSE-NAHSE | SCA | vExpert 6* | Object First ACE

Like

Forum|alt.badge.img

+22

Chris.Childerhose
Veeam Legend, Veeam Vanguard
Forum|Forum|8 days ago
June 15, 2026

@Madi.Cristil @safiya - please make this post informational and not a question post.

Chris Childerhose (Enterprise Architect) - VMCE+ | VMCA | VMCE | VMCE-SP | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 7* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV/VCP-VVF | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech

Like