CVE-2026-42897: Exchange Server XSS exploited against Outlook on the web — mitigation via EEMS

May 15, 2026 / May 15, 2026 by Alex Mira | Leave a comment

CVE-2026-42897: Exchange Server XSS exploited against Outlook on the web — mitigation available via EEMS

A newly disclosed Microsoft Exchange Server vulnerability, tracked as CVE-2026-42897, is being exploited in the wild and targets Outlook on the web (OWA) users. The issue is described as a cross-site scripting (XSS)–based spoofing vulnerability. Microsoft has not released patches yet, but it has published mitigations and says the Exchange Emergency Mitigation Service (EEMS) will automatically apply protections on supported on‑premises servers.

What we know so far

According to Microsoft’s security guidance and public reporting, CVE-2026-42897 is an XSS vulnerability in Microsoft Exchange Server that enables spoofing over a network. BleepingComputer reports that Microsoft warned of active exploitation and shared interim mitigations for administrators. The company indicates the following:

Affected products: Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE).
Attack scenario: An attacker can send a specially crafted email. If the recipient opens it in Outlook on the web and certain interaction conditions are met, arbitrary JavaScript may execute in the browser context. Microsoft classifies this as a spoofing issue rather than server-side code execution.
Patch status: No security update is yet available.
Mitigation path: The Exchange Emergency Mitigation Service (EEMS) will provide automatic mitigation for on‑premises Exchange 2016, 2019, and SE. Microsoft recommends enabling EEMS immediately if it is disabled.

Microsoft notes that EEMS may not be able to check for new mitigations on servers running Exchange builds older than March 2023. EEMS runs as a Windows service on Exchange Mailbox servers and is typically enabled on servers with the Mailbox role.

References:

Microsoft Security Update Guide entry for CVE-2026-42897: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
Microsoft Exchange Team post on the May 2026 vulnerability and mitigations: https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
Coverage and summary via BleepingComputer: https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks/
Background on EEMS: https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-service-mitigates-high-risk-bugs-automatically/

Why it matters

Outlook on the web is widely exposed in many organizations, and XSS in a webmail context can enable content spoofing and deceptive UI behavior inside the user’s browser. With exploitation reported and no patch currently available, relying on Exchange’s built‑in emergency mitigation is the most practical immediate defense for on‑premises deployments.

Practical next steps

Based on Microsoft’s guidance and public reporting, administrators can take the following actions now:

Enable the Exchange Emergency Mitigation Service (EEMS) on Exchange Server 2016, 2019, and SE. Microsoft characterizes this as the fastest way to reduce risk while a fix is pending.
Ensure your Exchange servers are on builds from March 2023 or later so EEMS can check for and apply new mitigations.
Monitor Microsoft’s CVE page and Exchange Team post linked above for updates and eventual patches.

What’s still unclear

Some details are not publicly specified at this time:

The exact interaction conditions required in OWA for script execution are not fully described.
Patch availability and timelines have not been announced in the sources reviewed.
Scope of exploitation and impact details beyond the spoofing/XSS classification are not provided.

Bottom line

CVE-2026-42897 is an actively exploited Exchange Server XSS vulnerability that targets OWA users. Until patches arrive, Microsoft’s Exchange Emergency Mitigation Service is the recommended safeguard. Verify EEMS is enabled and your servers are on supported builds, then track Microsoft’s advisories for updates.

Alex Mira

Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.

Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!

Tagged

CVE-2026-43500 Linux rxrpc vulnerability

CVE-2026-43500: Linux rxrpc shared‑fragment bug tied to “Dirty Frag” page‑cache writes

CVE-2026-43500 fixes a Linux rxrpc flaw in how shared packet fragments are handled. It’s linked to the “Dirty Frag” chain enabling page‑cache writes and local root. Update kernels promptly.

SAP patches critical Commerce Cloud RCE and S/4HANA SQL injection (CVE-2026-34263, CVE-2026-34260)

SAP’s May 2026 updates fix two critical issues: unauthenticated RCE in Commerce Cloud (CVE-2026-34263) and authenticated SQL injection in S/4HANA Enterprise Search (CVE-2026-34260).

CVE-2026-42945 NGINX rewrite vulnerability

CVE-2026-42945: NGINX rewrite-module bug tied to PCRE captures and “?” in replacements

CVE-2026-42945 affects NGINX’s rewrite module under specific PCRE capture and replacement patterns, causing a heap overflow and worker restarts; code execution may be possible if ASLR is disabled. Version and patch details are not yet clear.

Claude Code CVE-2026-39861 sandbox escape

Claude Code CVE-2026-39861: symlink-assisted sandbox escape fixed

A GitHub advisory for CVE-2026-39861 details a symlink-based sandbox escape in Claude Code, now fixed. A separate CVE in jotty.page (CVE-2026-42564) addresses an unauthenticated path traversal fixed in 1.22.0.

CVE-2026-43284: Linux fixes an ESP decryption flaw tied to “Dirty Frag” reports

Linux has patched CVE-2026-43284 in the xfrm/ESP input path to avoid unsafe in-place decryption on shared fragments. Media link it to the “Dirty Frag” LPE chain, but only parts are confirmed. Here’s what’s known and what to do next.

Ivanti EPMM updates address multiple flaws (CVE-2026-5786/5787/5788/6973/7821)

Ivanti’s May 2026 advisory fixes five EPMM flaws spanning access control, certificate validation, and admin-level RCE prerequisites. Here’s what’s confirmed and what to do now.

CVE-2026-43284: Fix for in‑place decryption on shared skb fragments in Linux’s ESP path

CVE-2026-43284 fixes a Linux kernel ESP receive-path flaw where in-place decryption could occur on shared skb fragments. Here’s what’s confirmed and how to proceed.

CVE-2026-26956: vm2 sandbox escape in 3.10.4 enables host code execution, patch available

CVE-2026-26956 allows a vm2 sandbox escape in version 3.10.4, enabling host code execution under specific Node.js 25 settings. NVD says it’s patched in 3.10.5.

Critical cPanel Vulnerability CVE-2026-41940 Actively Exploited: What Website Owners and Hosting Providers Need to Know

CVE-2026-41940 is a critical cPanel and WHM authentication bypass vulnerability actively exploited in the wild. Learn who is affected, what attackers can do, and how to patch.

CVE-2026-31431 (“Copy Fail”): What You Need to Know

CVE-2026-31431 (“Copy Fail”) is a high-severity Linux kernel vulnerability enabling local privilege escalation and container escape. Learn its impact and how to patch or mitigate it effectively.

AdwCleaner 8.7.0 Beta Released – Performance, Stability, and a Security Fix

AdwCleaner 8.7.0 beta is now available with major performance improvements, a faster JSON parser, and a security fix for CVE-2025-67905.

December Patch Tuesday 2025: A Month of AI Upgrades, UX Polish — and a Quiet Fix to a Long-Running Windows Shortcut Flaw

December Patch Tuesday 2025 brings UI polish, deeper AI integration, a key Servicing Stack update, and a quietly fixed Windows shortcut vulnerability exploited since 2017. Here’s what changed and what security-conscious users should know.