CVE-2026-42897

CVE-2026-42897 is a high vulnerability published on May 14, 2026. Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

CVE-2026-42897 was first published in the National Vulnerability Database on May 14, 2026, with the most recent update on May 15, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Yes. CISA added CVE-2026-42897 to the Known Exploited Vulnerabilities catalog on May 15, 2026, affecting Microsoft Microsoft. KEV listing indicates confirmed exploitation in the wild; this CVE warrants immediate patching attention.

CVE-2026-42897 has a CVSS v3 base score of 8.1 (NVD). EchelonGraph synthesises NVD + CISA KEV + FIRST EPSS + GHSA into a combined EG score of 9.0.

CVE-2026-42897 affects Microsoft Microsoft. The full affected-products list, including version ranges and fixed versions, is shown in the Affected Packages section of this page.

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-42897, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.