Reflected XSS in Microsoft Exchange OWA
CVE-2026-42897 is an actively exploited cross-site scripting vulnerability in on-premises Microsoft Exchange Server, specifically affecting the Outlook Web Access (OWA) component. The flaw stems from improper neutralization of input during web page generation. Available reporting indicates the vulnerable OWA server-side rendering logic embeds user-controlled values, including URL paths or query string parameters, into generated HTML without context-aware output encoding. As a result, a specially crafted email or reflected input can cause attacker-controlled JavaScript to execute in the victim’s browser when the content is opened in OWA under certain interaction conditions. Microsoft describes the issue as a spoofing vulnerability rooted in XSS. Affected products include Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition on-premises at any update level; Exchange Online is not affected.
Impact, mitigation & remediation
What it means. What to do now. For analysts and engineers who need to decide and keep moving.
Impact
What an attacker gets — and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No valid public exploits — Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.
Recent activity
172 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.
A Microsoft Exchange remote code execution vulnerability demonstrated at Pwn2Own Berlin 2026 that allows SYSTEM-level code execution and has already been confirmed exploited in the wild.
A Microsoft Exchange Server zero-day XSS/spoofing vulnerability affecting Outlook Web Access (OWA) that can be triggered via a specially crafted email and is significant because CISA added it to the KEV catalog after confirmed in-the-wild exploitation.
A zero-day cross-site scripting vulnerability in Microsoft Exchange Server affecting Outlook Web Access (OWA), allowing malicious JavaScript execution via a specially crafted email opened in OWA.
A zero-day cross-site scripting vulnerability in Microsoft Exchange Outlook Web Access (OWA) caused by insufficient input filtering during website generation. It can allow unauthenticated network attackers to send crafted emails that trigger arbitrary JavaScript execution in a victim's browser under certain interaction conditions.
A reflected cross-site scripting vulnerability in the Microsoft Exchange OWA component caused by improper context-aware output encoding of user-controlled input in server-rendered HTML.
A vulnerability in Microsoft Exchange Outlook Web Access (OWA) that can allow arbitrary JavaScript execution in the browser context when a user opens a specially crafted email and certain interaction conditions are met.
A May 2026 Exchange Server vulnerability referenced by CVE ID in the page metadata. The provided content does not include substantive details about the flaw itself.
A specific Microsoft Exchange Server vulnerability for which Microsoft released Emergency Mitigation service mitigation M2 using an IIS URL Rewrite rule.
See the full picture, correlated to your attack surface.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.