- 136/2026
- High
Microsoft has released a security update to address a vulnerability affecting Microsoft Exchange Server.
The addressed vulnerability could allow attackers to conduct spoofing attacks through a cross-site scripting (XSS) flaw, potentially leading to the execution of arbitrary JavaScript code within the victim’s web browser context.
The addressed vulnerability:
Microsoft Exchange Server 2016 Spoofing Vulnerability (CVE-2026-42897):
- CVSS: 8.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross-Site Scripting
The affected products:
- Microsoft Exchange Server 2016.
- Microsoft Exchange Server 2019.
- Microsoft Exchange Server Subscription Edition RTM.
It should be highlighted that Microsoft is aware that the vulnerability “CVE-2026- 42897” is being exploited in the wild.
Vulnerabilities
CVE-2026-42897
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.