Zero Day MonitorZDM

← Back to list

8.1

CVE-2026-42897KEVEXPLOITEDPATCHED

microsoft · exchange

Microsoft Exchange Server Spoofing Vulnerability

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Affected Products

Vendor	Product	Versions
microsoft	exchange	-, -, -, -

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
microsoft	microsoft exchange server 2019 cumulative update	mitre_affected	90%
microsoft	microsoft exchange server subscription edition rtm	mitre_affected	90%
microsoft	exchange	cert_advisory	90%

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897(vendor-advisory, patch)

Related News (6 articles)

Tier B

BSI Advisories2h ago

[NEU] [hoch] Microsoft Exchange Server: Schwachstelle ermöglicht Cross-Site-Scripting- und Spoofing-Angriffe

→ No new info (linked only)

Tier D

Help Net Security2h ago

Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897)

→ No new info (linked only)

Tier D

BleepingComputer2h ago

Microsoft warns of Exchange zero-day flaw exploited in attacks

→ No new info (linked only)

Tier D

The Hacker News5h ago

On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email

→ No new info (linked only)

Tier C

VulDB18h ago

CVE-2026-42897 | Microsoft Exchange Server cross site scripting

→ No new info (linked only)

Tier A

Microsoft MSRC22h ago

CVE-2026-42897 Microsoft Exchange Server Spoofing Vulnerability

→ No new info (linked only)

CVSS 3.18.1 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C

CISA KEV✅ Yes

Actively exploited✅ Yes

Patch available

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897

CWECWE-79

PublishedMay 14, 2026

Last enriched1h agov3

Tags

zero-daycyberespionageweb shellmicrosoft exchangeEEMS

Trending Score130🔥

Source articles6

Independent6

Info Completeness12/14

Missing: epss, iocs

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-33825EXPKEV

Microsoft Defender Elevation of Privilege Vulnerability

CRITICALCVE-2026-41089EXP

Windows Netlogon Remote Code Execution Vulnerability

CRITICALCVE-2026-42898EXP

Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

CRITICALCVE-2026-41103EXP

Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability

CRITICALCVE-2026-41096EXP

Windows DNS Client Remote Code Execution Vulnerability

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 14, 2026

Added to CISA KEV

May 14, 2026

Discovered by ZDM

May 14, 2026

Updated: affectedVersions, tags

May 15, 2026

Updated: severity, affectedVersions

May 15, 2026

Actively Exploited

May 15, 2026

Exploit Available

May 15, 2026

Patch Available

May 15, 2026

Version History

v3

Last enriched 1h ago

v3Tier D1h ago

Updated severity to CRITICAL, added affected version Subscription Edition RTM, and noted that a permanent fix is still in the works.

severityaffectedVersions

via Help Net Security

v2Tier D2h ago

Updated affected versions to include Exchange Server 2016, 2019, and Subscription Edition, and added patch information along with a new tag for EEMS.

affectedVersionstags

via BleepingComputer

v119h ago

Initial creation