CVE-2026-42897
KEV High · CVSS 8.1Microsoft Exchange Server — Cross-Site Scripting (XSS) leading to spoofing
- CVSS
- 8.1
- nvd
- EPSS
- —
- KEV
- Listed
- 2026-05-15
- Class
- other
- CWE-79
Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Search profile — drives PoC discovery
Symbols CVE-2026-42897Exchange Server XSSimproper neutralizationweb page generationspoofing over networkCWE-79
Keywords CVE-2026-42897Microsoft Exchange ServerXSScross-site scriptingspoofingExchange spoofingExchange XSS PoCExchange Server vulnerability 2026MSRC CVE-2026-42897CWE-79 Exchange
Candidate PoCs (1) — discovered, not yet vetted or ranked
- atiilla/CVE-2026-42897★ 4nomi_sec
Recall-favoring discovery (nomi-sec + trickest). Vetting + ranking is the Stage-4 scorer.
References
Status: enriched · ingested 2026-06-16T00:00:58.000Z · profiled 2026-06-16T18:20:23.035Z