CVE-2026-42897
Microsoft Exchange Server Spoofing Vulnerability
In short
Microsoft Exchange Server doesn't properly clean user input on web pages, allowing attackers to inject malicious code that can trick users into believing fake messages or actions. This is dangerous because attackers can impersonate legitimate communications to steal credentials or spread misinformation.
Technical detail
A cross-site scripting (XSS) vulnerability in Microsoft Exchange Server's web interface fails to sanitize user-controlled input during page generation, enabling attackers to inject arbitrary scripts executed in victims' browsers. This vulnerability can be exploited over a network to perform spoofing attacks, compromising authentication integrity and session management.
Summary generated and translated by AI from the official description.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C
Affected products
Microsoft · Microsoft Exchange Server 2016 Cumulative Update 23Microsoft · Microsoft Exchange Server 2019 Cumulative Update 14Microsoft · Microsoft Exchange Server 2019 Cumulative Update 15Microsoft · Microsoft Exchange Server Subscription Edition RTMpublic PoCs found — 1
githubgithub.com/atiilla/CVE-2026-42897★ 4⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →