// Alert

Microsoft 365 threat report

Microsoft has patched CVE-2026-42897, a high-severity actively exploited cross-site scripting (XSS) vulnerability in Exchange Server 2016, 2019, and Subscription Edition. The flaw allows remote attackers with no privileges to execute arbitrary JavaScript in Outlook Web Access by sending specially crafted emails. Microsoft deployed automatic temporary mitigations via the Exchange Emergency Mitigation Service in mid-May and released fixes in June 2026 Patch Tuesday.

// Get alerts for Microsoft 365