CVE-2026-42897 is a high-severity cross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2016, 2019, and Subscription Edition. It allows remote attackers to execute arbitrary JavaScript code in the context of Outlook Web Access by sending a specially crafted email. The vulnerability was actively exploited before patching. Microsoft initially deployed an automatic temporary mitigation via the Exchange Emergency Mitigation Service (EEMS) and later released official security updates in June 2026. The vendor strongly advises applying these updates promptly and retaining the mitigation to ensure continuous protection. The U.S. CISA added this vulnerability to its exploited-in-the-wild list and required government agencies to patch quickly. This vulnerability requires no privileges and can be triggered by user interaction with a malicious email in Outlook Web Access.

The vulnerability enables remote attackers to execute arbitrary JavaScript code in the browser of Outlook Web Access users, potentially leading to spoofing and other XSS-related impacts. Because exploitation requires no privileges and only user interaction with a crafted email, the risk of compromise is significant for affected Exchange Server environments. The vulnerability was actively exploited in the wild prior to patching, increasing the urgency of remediation. The impact is limited to Outlook Web Access users on affected Exchange Server versions.

Microsoft has released official security updates for Exchange Server 2016, 2019, and Subscription Edition to address this vulnerability. Administrators should deploy these June 2026 security updates as soon as possible. Additionally, Microsoft recommends maintaining the previously deployed Exchange Emergency Mitigation Service (EEMS) temporary mitigation to provide an additional layer of defense. No further action beyond applying the patch and retaining the mitigation is indicated by the vendor.