Skip to content
Activamente explotadaCVSS 8.1 · HIGH

CVE-2026-42897

Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.

Ver en NVD

Análisis

Microsoft Exchange Server is vulnerable to unauthenticated cross-site scripting which could lead to session hijacking or spoofing. While significant for organizations running self-hosted Exchange, it is a routine enterprise security update rather than a developer-centric emergency.

Severidad

Puntaje: 8.1(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: REQUIRED
S: UNCHANGED
C: HIGH
I: HIGH
A: NONE
Tipo de falla (CWE): CWE-79

CISA KEV

Agregada al KEV: 2026-05-15
Fecha límite federal: 2026-05-29
Uso conocido en ransomware: Unknown
Acción requerida

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS

Probabilidad de explotación (próx. 30 días): 0.0022 (0.2%)
Percentil: 44.5%
EPSS: 2026-05-15

Afecta

microsoft:exchange_server

Descripción técnica

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Publicada: 14/5/2026, 18:16:49
Última modificación: 15/5/2026, 19:35:52

Referencias

InicioEventosBlogRecursosEquipo