CVE-2026-42897

high

Microsoft

CVSS v3 Base Score

8.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Confidentiality

High

Integrity

High

Availability

None

Published: May 14, 2026 (2 days ago)

Last Modified: May 15, 2026

Vendor: Microsoft

Source: MITRE

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

CWE

CWE-79

Affected Products

Microsoft Microsoft Exchange Server 2016 Cumulative Update 23Microsoft Microsoft Exchange Server 2019 Cumulative Update 14Microsoft Microsoft Exchange Server 2019 Cumulative Update 15Microsoft Microsoft Exchange Server Subscription Edition RTM

References

🔗 msrc.microsoft.com

CVE-2026-42897

Vulnerability Report

Description

CWE

Affected Products

References