CVE-2026-42897 is an actively exploited cross-site scripting (XSS) vulnerability in on-premises Microsoft Exchange Server, specifically affecting the Outlook Web Access (OWA) rendering path. Microsoft describes the issue as improper neutralization of input during web page generation, allowing attacker-controlled content delivered via a specially crafted email to execute arbitrary JavaScript when the message is opened in OWA under certain interaction conditions. The flaw affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition at any update level; Exchange Online is not affected. Public reporting and Microsoft guidance indicate exploitation is unauthenticated over the network and begins with delivery of a malicious email to a target mailbox. The JavaScript executes in the browser context of the authenticated OWA user rather than as server-side code on Exchange itself.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
245 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical spoofing/XSS vulnerability in on-premises Microsoft Exchange Outlook Web Access (OWA) that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser session via a specially crafted email.
0-day уязвимость в Exchange Server, позволяющая выполнить произвольный JavaScript-код в браузере жертвы через специально подготовленное письмо в Outlook Web Access.
An actively exploited vulnerability affecting Microsoft Exchange Server that was patched in this Patch Tuesday release.
A high-severity Microsoft Exchange Server spoofing vulnerability that enables arbitrary JavaScript execution via XSS against Outlook Web Access users.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.