CVE-2026-42897: Reflected Cross-Site Scripting in Microsoft Exchange Server OWA Vulnerability ID: CVE-2026-42897 CVSS Score: 8.1 Published: 2026-05-14 CVE-2026-42897 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability affecting the Outlook on the web (OWA) component of Microsoft Exchange Server. The flaw stems from improper neutralization of user-supplied input during web page generation. Discovered as a zero-day and actively exploited in the wild, the vulnerability allows unauthenticated attackers to execute arbitrary JavaScript within the security context of a targeted user's session, facilitating session hijacking and identity spoofing. TL;DR Actively exploited reflected XSS in Exchange Server OWA allows unauthenticated attackers to hijack authenticated sessions via crafted URLs. Microsoft released out-of-band updates and an IIS URL rewrite mitigation (EEMS M2) to address the flaw.…