AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

🔥 This vulnerability is being actively exploited in the wild (CISA Known Exploited Vulnerabilities catalog)

CVE-2026-42897: Microsoft Exchange Server Cross-Site Scripting Vulnerability

infovulnerability🔥 Actively Exploited

security

Source: CISA Known Exploited VulnerabilitiesMay 14, 2026CVE-2026-42897

Summary

Microsoft Exchange Server has a cross-site scripting vulnerability (XSS, a security flaw where attackers inject malicious code into web pages) in Outlook Web Access that allows arbitrary JavaScript (code that runs in a user's browser) to execute when certain conditions are met. This vulnerability is currently being exploited by attackers in real-world attacks.

Solution / Mitigation

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. See Microsoft's Security Response Center update guide and Exchange Emergency Mitigation Service for specific steps.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.2%

Patch Available

Yes

Exploit Maturity

🔥 Actively Exploited

Disclosure Date

May 14, 2026

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-79

CAPEC (Attack Pattern)

CAPEC-198 CAPEC-86

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-42897

First tracked: May 15, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%