Microsoft has released security updates for an actively exploited Exchange Server XSS flaw, CVE-2026-42897, which can let attackers run arbitrary JavaScript in Outlook Web Access. CISA marked the issue as exploited in the wild and urged rapid patching for affected Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition systems. #Microsoft #ExchangeServer #CVE-2026-42897 #CISA
Keypoints
- Microsoft patched CVE-2026-42897 in Exchange Server.
- The flaw allows arbitrary JavaScript execution in Outlook Web Access.
- Attackers can trigger it with a specially crafted email.
- The issue affects Exchange Server 2016, 2019, and Subscription Edition.
- CISA added the flaw to its exploited-in-the-wild list and ordered fast patching.