Back to KEVs

CVE-2026-42897

Microsoft Exchange Server Spoofing Vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
April 30, 2026
Published Date
May 14, 2026
Last Updated
May 26, 2026
Vendor
Microsoft
Product
Microsoft Exchange Server 2016 Cumulative Update 23, Microsoft Exchange Server 2019 Cumulative Update 14, Microsoft Exchange Server 2019 Cumulative Update 15, Microsoft Exchange Server Subscription Edition RTM
Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Tags
cisa

CVSS Scores

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 13:29:03 UTC) Source

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 13:29:03 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel