CVE-2026-42897
Coverage of CVE-2026-42897 in the Nexus archive.
- Microsoft Exchange Zero-Day Under Attack, No Patch Available
A zero-day vulnerability, CVE-2026-42897, has been discovered in Microsoft Exchange, allowing attackers to compromise Outlook Web Access mailboxes through a cross-site scripting vulnerability. No patch is currently available to fix this issue. The vulnerability can be exploited to gain unauthorized access to sensitive information.
- Exploited Exchange Server flaw turns OWA inboxes into script launchpads
Microsoft confirmed a vulnerability in on-premises Exchange Server that could result in script execution in victims' browsers, affecting Outlook Web Access and tracked as CVE-2026-42897. The flaw can be triggered by a specially crafted email and has a CVSS score of 8.1. A mitigation has been released via the Exchange Emergency Mitigation Service.
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
Microsoft disclosed a security vulnerability in on-premise Exchange Server versions, tracked as CVE-2026-42897, which has been exploited in the wild. The bug is described as a spoofing issue stemming from a cross-site scripting flaw. An anonymous researcher discovered and reported the issue.