CVE-2026-42897

HIGH · 8.1 KEV EPSS 2.5%

hype LIKELY HACK · 72 hack

Confirmed active abuse + urgent vendor patching; KEV delay and absence of public PoC prevent higher score.

What: Cross-site scripting (XSS) in Microsoft Exchange Server on-premises allowing email spoofing; CVSS 8.1 HIGH.

Why it matters: Microsoft confirmed active exploitation in-the-wild as of 2026-05-14. Posts cite emergency patching and mitigation guidance. Not yet KEV-listed but vendor advisory + confirmed active abuse signals immediate triage priority for on-prem Exchange operators.

Where it's seen: Coordinated social chatter across security news outlets (HelpNetSecurity, The Hacker News) and Bluesky; consistent framing of "actively exploited zero-day" with remediation paths (EOMT, service updates). No public PoC mentioned, but threat actor activity confirmed by Microsoft.

RISK: HIGH — Active exploitation of high-CVSS spoofing flaw in widely-deployed messaging infrastructure.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/15/2026, 3:54:35 PM

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

CVSS 3.1 breakdown

Exploitability 2.8 · Impact 5.2

vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack vector: Network
Complexity: Low
Privileges required: None
User interaction: Required
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: None

Weaknesses

CWE-79

References

Other · 1

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897