CVE-2026-42897

Warnung

Medienbericht

EPSS 12.34%
Veröffentlicht 14.05.2026 17:00:36
Zuletzt bearbeitet 15.05.2026 19:35:52
Quelle secure@microsoft.com
CVE-Watchlists
Login
Unerledigt
Login

Microsoft Exchange Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 8

NVD 40 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Microsoft ≫ Exchange Server Version- SwEditionsubscription

Microsoft ≫ Exchange Server Version2016 Update-

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_1

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_10

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_11

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_12

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_13

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_14

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_15

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_16

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_17

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_18

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_19

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_2

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_20

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_21

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_22

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_23

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_3

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_4

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_5

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_6

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_7

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_8

Microsoft ≫ Exchange Server Version2016 Updatecumulative_update_9

Microsoft ≫ Exchange Server Version2019 Update-

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_1

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_10

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_11

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_12

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_13

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_14

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_2

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_3

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_4

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_5

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_6

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_7

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_8

Microsoft ≫ Exchange Server Version2019 Updatecumulative_update_9

15.05.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Exchange Server Cross-Site Scripting Vulnerability

Schwachstelle

Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	12.34%	0.94

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
secure@microsoft.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.heise.de/news/Microsoft-Exchange-Zero-Day-Luecke-wird-angegriffen-11295799.html

Media Report

https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks/

Media Report

https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html

Media Report

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897

Vendor Advisory

Mitigation

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42897

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2026-42897