Yo guys new High Vulnerability for Exchange Onprem
CVE-2026-42897 is a high-severity security vulnerability (CVSS 8.1) affecting Microsoft Exchange Server on-premises, specifically the Outlook Web Access (OWA) component.
It is a Cross-Site Scripting (XSS) flaw caused by improper handling of user input during web page generation.
An attacker can exploit this issue by sending specially crafted emails: when a victim opens the message through OWA, malicious code may execute in the browser within the user’s session context.
This can allow actions such as:
- user identity spoofing
- session hijacking
- performing operations on behalf of the victim
The vulnerability is particularly critical because:
- it has been observed in active (zero-day) exploitation scenarios
- it does not require prior attacker authentication
- it impacts Exchange Server 2016, 2019, and Subscription Edition (on-premises)
