A cross-site scripting flaw in Microsoft Exchange's web interface is being exploited in the wild — and as of this writing, there is still no permanent patch. Microsoft confirmed active exploitation of CVE-2026-42897 on 14 May 2026 (some reports place the announcement on 15 May; the NVD published date is 14 May), two days after its May Patch Tuesday addressed 138 separate vulnerabilities. The zero-day was not among them.

What the Flaw Does

CVE-2026-42897 is an improper input neutralisation (cross-site scripting) vulnerability in the Outlook Web Access (OWA) component of on-premises Microsoft Exchange Server. Microsoft, as the CNA, assigns it a CVSS v3.1 score of 8.1, which falls in the High severity band (7.0–8.9); NIST scores it 6.1 Medium using a different vector. Some outlets described it as "critical" — that label does not correspond to the official CVSS band at 8.1. An attacker exploits the flaw by sending a specially crafted email to a target user. If that user opens the message in OWA and certain interaction conditions are met, arbitrary JavaScript executes inside the victim's browser session.

Microsoft's own advisory states: "An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context." The consequence is execution within the victim's active browser session, not server-level code execution.

Microsoft has declined to specify publicly which interaction conditions trigger the exploit, a standard disclosure restraint intended to slow adversary refinement of working attack chains.

Affected Versions

The vulnerability affects all currently supported on-premises Exchange builds: Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). Exchange Online — the cloud-hosted service used by Microsoft 365 customers — is not affected. The scope is significant: a large share of enterprise email globally still runs on on-premises Exchange, particularly in regulated industries, government, and organisations that have not yet migrated to the cloud.

No Permanent Fix, Temporary Mitigations Available

Microsoft has not issued a permanent security update for CVE-2026-42897 and has not committed to a public timeline for one. Two mitigation paths are available in the interim. For organisations with the Exchange Emergency Mitigation Service (EEMS) enabled, Microsoft pushed an automatic mitigation — it is applied without administrator action. For air-gapped or internet-isolated environments, the Exchange On-premises Mitigation Tool (EOMT) provides a manual equivalent.

Administrators should verify that EEMS is active and the mitigation has been applied. Microsoft's official guidance on the Microsoft Community Hub lists the mitigation steps and notes known side effects: OWA print-calendar functionality, inline image rendering, and OWA light mode may malfunction after applying the temporary fix.

Regulatory Response: CISA

The United States Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalogue on 14 May 2026, according to the Security Affairs KEV report — the same day Microsoft disclosed the flaw. (SecurityWeek's initial report, published around the same time, noted the CVE had not yet been added; the KEV listing followed later that day.) Federal Civilian Executive Branch (FCEB) agencies were given until 29 May 2026 to remediate.

Why On-Premises Exchange Remains a High-Value Target

Exchange Server has featured in some of the most damaging enterprise breaches of the past decade. Nation-state groups and ransomware operators alike treat unpatched Exchange instances as reliable initial-access vectors: the mail server holds credentials, internal correspondence, and often has broad internal network reachability. CVE-2026-42897 does not grant direct server access, but JavaScript execution within an authenticated OWA session can be a decisive first step.

Researchers have noted that the phishing-style delivery mechanism — a malicious email that, once opened in OWA under the required interaction conditions, can trigger JavaScript execution — lowers the barrier for mass exploitation campaigns. Unlike vulnerabilities requiring attacker network access to Exchange directly, this flaw can be triggered remotely by any actor who can deliver email to the target organisation.

This article describes the attack surface and defensive mitigations for awareness purposes. No exploit code or proof-of-concept technical detail is reproduced here.