CVE-2026-42897 is an actively exploited cross-site scripting (XSS) vulnerability in on-premises Microsoft Exchange Server, specifically affecting the Outlook Web Access (OWA) rendering path. Microsoft describes the issue as improper neutralization of input during web page generation. An unauthenticated remote attacker can send a specially crafted email to a target user; when the victim opens the message in OWA and certain interaction conditions are met, attacker-controlled JavaScript executes in the browser context of the authenticated OWA session. Affected products include Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition at any update level. Exchange Online is not affected. Microsoft classified the issue as a spoofing vulnerability, but the available reporting consistently characterizes the root cause and exploit behavior as XSS in OWA.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
246 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical spoofing/XSS vulnerability in on-premises Microsoft Exchange Outlook Web Access (OWA) that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser session via a specially crafted email.
0-day уязвимость в Exchange Server, позволяющая выполнить произвольный JavaScript-код в браузере жертвы через специально подготовленное письмо в Outlook Web Access.
An actively exploited vulnerability affecting Microsoft Exchange Server that was patched in this Patch Tuesday release.
A high-severity Microsoft Exchange Server spoofing vulnerability that enables arbitrary JavaScript execution via XSS against Outlook Web Access users.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.