Reflected XSS in Microsoft Exchange Server OWA
CVE-2026-42897 is an actively exploited cross-site scripting vulnerability in on-premises Microsoft Exchange Server, specifically affecting Outlook Web Access (OWA). The issue stems from improper neutralization of input during web page generation. Available reporting indicates the vulnerable OWA server-side rendering logic reflects attacker-controlled input, including URL paths or query string parameters, into generated HTML without context-aware output encoding. Multiple sources also state the attack can be delivered via a specially crafted email; when the victim opens the email in OWA and certain interaction conditions are met, arbitrary JavaScript executes in the browser context of the trusted Exchange/OWA origin. Microsoft characterizes the issue as enabling spoofing over a network. Affected products include Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition on premises; Exchange Online is not affected.
Impact, mitigation & remediation
What it means. What to do now. For analysts and engineers who need to decide and keep moving.
Impact
What an attacker gets — and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No valid public exploits — Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.
Recent activity
174 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.
A Microsoft Exchange remote code execution vulnerability demonstrated at Pwn2Own Berlin 2026 that allows SYSTEM-level code execution and has already been confirmed exploited in the wild.
A Microsoft Exchange Server zero-day XSS/spoofing vulnerability affecting Outlook Web Access (OWA) that can be triggered via a specially crafted email and is significant because CISA added it to the KEV catalog after confirmed in-the-wild exploitation.
A zero-day cross-site scripting vulnerability in Microsoft Exchange Server affecting Outlook Web Access (OWA), allowing malicious JavaScript execution via a specially crafted email opened in OWA.
A zero-day cross-site scripting vulnerability in Microsoft Exchange Outlook Web Access (OWA) caused by insufficient input filtering during website generation. It can allow unauthenticated network attackers to send crafted emails that trigger arbitrary JavaScript execution in a victim's browser under certain interaction conditions.
A reflected cross-site scripting vulnerability in the Microsoft Exchange OWA component caused by improper context-aware output encoding of user-controlled input in server-rendered HTML.
A vulnerability in Microsoft Exchange Outlook Web Access (OWA) that can allow arbitrary JavaScript execution in the browser context when a user opens a specially crafted email and certain interaction conditions are met.
A May 2026 Exchange Server vulnerability referenced by CVE ID in the page metadata. The provided content does not include substantive details about the flaw itself.
A specific Microsoft Exchange Server vulnerability for which Microsoft released Emergency Mitigation service mitigation M2 using an IIS URL Rewrite rule.
See the full picture, correlated to your attack surface.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.