Vulnerability detail

Enriched intelligence for a single CVE

PRO Back to KEVs

8.1

CVSS
High

CVE-2026-42897

PUBLISHED

Microsoft Exchange Server Spoofing Vulnerability

1 day faster than CISA KEV

Exploited in the wild Remote Low complexity

Vendor: Microsoft
Product: Microsoft Exchange Server 2016 Cumulative Update 23, Microsoft Exchange Server 2019 Cumulative Update 14, Microsoft Exchange Server 2019 Cumulative Update 15, Microsoft Exchange Server Subscription Edition RTM
Published: May 14, 2026
EPSS: 7.9% · 92% pctl

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

cisa microsoft

Weaknesses (CWE)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores

CVSS v3.1 8.1 High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C

Exploitation status

Exploited in the wild

Recorded 2026-06-01 13:29:03 UTC · CVE

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CVE First	2026-06-01 13:29 UTC
CISA	2026-06-02 14:00 UTC

Timeline

CVE ID Reserved

2026-04-30 22:35 UTC
CVE Published to Public

2026-05-14 17:00 UTC
Added to KEVIntel

2026-06-01 13:29 UTC
KEV confirmed by CISA

2026-06-02 14:00 UTC