CVE-2026-42897

MediumKnown Exploited

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized…

secure@microsoft.com·CWE-79·Published 2026-05-14

CVSS

6.1

EPSS

0.03

KEV

Yes

Exploits

Vendor statements (1)

msrc.microsoft.com

cve.orgen

181 chars

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	8.1	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C
3.1	Primary	NVD	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
3.1	Secondary	NVD	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
3.1	Secondary	ENISA EUVD	8.1	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C