CVE-2026-42897

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server 2016 Microsoft Exchange Server 2019 Microsoft Exchange Server Subscription Edition

Description Improper neutralization of input during web page generation in Outlook Web Access (OWA) allows an unauthorized remote attacker to perform cross-site scripting (XSS) and spoofing attacks. The issue occurs when OWA fails to properly sanitize specific parameters within email header structures and body components before rendering them in the web interface. An attacker can exploit this by sending a specially crafted email; if a victim opens the message in OWA under certain interaction conditions, arbitrary JavaScript executes within the victim's browser context. This can lead to session hijacking, credential theft, and the exfiltration of security tokens. This flaw has been actively exploited in the wild against on-premises environments.

Recommendations For Microsoft Exchange Server 2016, update to CU23 (requires enrollment in the Period 2 Extended Security Update program). For Microsoft Exchange Server 2019, update to CU14 or CU15 (requires enrollment in the Period 2 Extended Security Update program). For Microsoft Exchange Server Subscription Edition, apply the RTM update. As a temporary mitigation for all affected versions, ensure the Exchange Emergency Mitigation Service (EEMS) is enabled to automatically apply protections. For air-gapped or isolated environments, manually run the Exchange On-Premises Mitigation Tool using the command .EOMT.ps1 -CVE "CVE-2026-42897". As a further workaround, users should avoid using the OWA web interface and instead use updated desktop clients like Outlook Desktop until patches are applied.