CVE-2026-42897
published 2026-05-14CVE-2026-42897: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform…
medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEV
CISA Known Exploited Vulnerabilitydue 2026-05-29
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | microsoft_exchange_server_2016_cumulative_update_23 | >= 15.01.0.0 < publication | publication |
| microsoft | microsoft_exchange_server_2019_cumulative_update_14 | >= 15.02.0.0 < publication | publication |
| microsoft | microsoft_exchange_server_2019_cumulative_update_15 | >= 15.02.0.0 < publication | publication |
| microsoft | microsoft_exchange_server_subscription_edition_rtm | >= 15.02.0.0 < publication | publication |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck8.1HIGH
cisa6.1MEDIUM