COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-42897

CVE-2026-42897

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-05-15
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-42897
⌖ exploited in the wild shame 45/100 exploited-in-wildunpatched

Microsoft Exchange Server XSS vulnerability allows arbitrary JavaScript execution in Outlook Web Access browser context.

This XSS flaw enables attackers to inject malicious scripts into Outlook Web Access, potentially leading to credential theft or session hijacking. DIB organizations must patch immediately to prevent unauthorized access to sensitive data via compromised web sessions.

Shame score — A known XSS vulnerability in a widely deployed enterprise product that allows script execution in the browser context.

Players implicated

Microsoft · vendorMicrosoft · product

Description

Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.

Affected FedRAMP products 4 in the catalog

ProductProviderStatusMatch
Azure Commercial Cloud Microsoft Authorized vendor-exact · 0.90
Azure Government (includes Dynamics 365) Microsoft Authorized vendor-exact · 0.90
Microsoft Office 365 GCC High Microsoft In Process vendor-exact · 0.90
Office 365 Multi-Tenant & Supporting Services Microsoft Authorized vendor-exact · 0.90