Exposures › CVE-2026-42897
Microsoft Exchange Server XSS vulnerability allows arbitrary JavaScript execution in Outlook Web Access browser context.
This XSS flaw enables attackers to inject malicious scripts into Outlook Web Access, potentially leading to credential theft or session hijacking. DIB organizations must patch immediately to prevent unauthorized access to sensitive data via compromised web sessions.
Shame score — A known XSS vulnerability in a widely deployed enterprise product that allows script execution in the browser context.
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
| Product | Provider | Status | Match |
|---|---|---|---|
| Azure Commercial Cloud | Microsoft | Authorized | vendor-exact · 0.90 |
| Azure Government (includes Dynamics 365) | Microsoft | Authorized | vendor-exact · 0.90 |
| Microsoft Office 365 GCC High | Microsoft | In Process | vendor-exact · 0.90 |
| Office 365 Multi-Tenant & Supporting Services | Microsoft | Authorized | vendor-exact · 0.90 |