A critical cross-site scripting vulnerability (CVE-2026-42897, CVSS 8.1) in on-premises Microsoft Exchange Server allows unauthorized attackers to perform spoofing attacks over the network. The vulnerability affects Exchange Server Subscription Edition RTM, 2019, and 2016, while Exchange Online is not impacted. As a permanent patch is not yet available, administrators must apply the temporary mitigations provided by Microsoft.
A critical cross-site scripting (XSS) vulnerability (CVE-2026-42897) in Microsoft Exchange Server is being exploited by attackers, Microsoft warned on Thursday. A permanent fix is still in the works. In the meantime, Microsoft provided temporary mitigations. About CVE-2026-42897 CVE-2026-42897 affects on-premises versions of Microsoft Exchange Server: Subscription Edition RTM, 2019, and 2016. Exchange Online is not affected. Flagged by an anonymous researcher, the vulnerability allows an unauthorized attacker to perform spoofing over a network. “An attacker … More → The post Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897) appeared first on Help Net Security .