CVE-2026-42897

HIGH 8.1

⚠️ CISA KEV

Microsoft Exchange Server Spoofing Vulnerability

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Vendor	microsoft
Product	microsoft exchange server 2016 cumulative update 23
Ecosystems	Windows .NET Azure
Industries	TechnologyEnterprise
Published	May 14, 2026
Last Updated	Jun 19, 2026

⚠️ Actively Exploited — Act Now

Get instant alerts for microsoft microsoft exchange server 2016 cumulative update 23

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2026-42897.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Microsoft / Microsoft Exchange Server 2016 Cumulative Update 23

15.01.0.0 < 15.01.2507.069

Microsoft / Microsoft Exchange Server 2019 Cumulative Update 14

15.02.0.0 < 15.02.1544.041

Microsoft / Microsoft Exchange Server 2019 Cumulative Update 15

15.02.0.0 < 15.02.1748.046

Microsoft / Microsoft Exchange Server Subscription Edition RTM

15.02.0.0 < 15.02.2562.043

References

NVD ↗ CVE.org ↗ EPSS Data ↗

msrc.microsoft.com: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897 cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-42897