Actively-Exploited

vulnerability 2026-05-15
Exchange Server CVE-2026-42897: Unpatched OWA XSS Zero-Day Exploited via Crafted Email
Microsoft confirms in-the-wild exploitation of an unpatched XSS spoofing flaw in on-prem Exchange Server 2016, 2019, and Subscription Edition. Mitigation is automatic only if EEMS is enabled.
microsoft exchange zero-day xss spoofing owa cve-2026-42897 actively-exploited

Exchange Server CVE-2026-42897: Unpatched OWA XSS Zero-Day Exploited via Crafted Email