Microsoft Releases Security Advisory for a Zero-Day Vulnerability in Exchange Server
Successful exploitation of CVE‑2026‑42897 could lead to arbitrary JavaScript execution in the browser context for users of on‑premises Microsoft Exchange Server deployments
Summary
Successful exploitation of CVE‑2026‑42897 could lead to arbitrary JavaScript execution in the browser context for users of on‑premises Microsoft Exchange Server deployments
Affected platforms
The following platforms are known to be affected:
Threat details
Exploitation of CVE-2026-42897
Microsoft has confirmed active exploitation of CVE-2026-42897 in the wild.
The NHS England National CSOC assesses further exploitation as highly likely.
Introduction
Microsoft has released a security advisory to address a high‑severity vulnerability in Microsoft Exchange Server. An attacker could exploit this vulnerability by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
- CVE‑2026‑42897 – "Improper Neutralisation of Input During Web Page Generation" vulnerability – CVSS v3.1 score of 8.1
Remediation advice
Affected organisations are encouraged to review Microsoft's Addressing Exchange Server May 2026 vulnerability CVE‑2026‑42897 and Microsoft Exchange Server Spoofing Vulnerability advisories and follow relevant mitigation steps as soon as possible.
Definitive source of threat updates
Last edited: 15 May 2026 1:29 pm