Microsoft has confirmed that attackers are actively exploiting a security flaw in on-premises Exchange Server, tracked as CVE-2026-42897. The vulnerability is a cross-site scripting (XSS) bug that lets an attacker inject malicious JavaScript code into a victim’s browser simply by sending them a specially crafted email. When the victim opens that email in Outlook Web Access (OWA), the code runs — without the victim having to click any link or download anything.
The flaw carries a CVSS severity score of 8.1 and affects all currently supported versions of on-premises Exchange Server. Microsoft has released a patch and recommends applying it immediately. Organizations that rely on cloud-hosted Microsoft 365 are not affected — this issue is specific to Exchange Server software installed and managed directly on a company’s own servers.
How to check if you’re affected
Affected versions include Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). If your organization runs any of these on-premises and has not yet applied Microsoft’s May 2026 security update, you are at risk. Home users who access email through Outlook.com or Microsoft 365 are not affected. If you are unsure whether your workplace uses on-premises Exchange, ask your IT department. Microsoft recommends applying the latest security update as soon as possible and monitoring OWA access logs for unusual JavaScript activity.