// Microsoft 365HIGH
Microsoft has patched CVE-2026-42897, a high-severity actively exploited cross-site scripting (XSS) vulnerability in Exchange Server 2016, 2019, and Subscription Edition. The flaw allows remote attackers with no privileges to execute arbitrary JavaScript in Outlook Web Access by sending specially crafted emails. Microsoft deployed automatic temporary mitigations via the Exchange Emergency Mitigation Service in mid-May and released fixes in June 2026 Patch Tuesday.
- Microsoft patches Exchange Server zero-day exploited in attacks(opens in a new tab)
- Microsoft Patches Exploited Exchange Server Vulnerability - Secu(opens in a new tab)
- Microsoft Exchange Server 0-Day Vulnerability Exploited in Attac(opens in a new tab)
- Microsoft Patches Exploited Exchange Server Vulnerability - Secu(opens in a new tab)
// Get alerts for Microsoft 365