Critical XSS Vulnerability in Microsoft Exchange Server Actively Exploited

A critical cross-site scripting (XSS) vulnerability (CVE-2026-42897) in on-premises Microsoft Exchange Server is being actively exploited by attackers, as warned by Microsoft on Thursday, May 15, 2026. The flaw affects Exchange Server Subscription Edition RTM, 2019, and 2016, while Exchange Online remains unaffected. Discovered by an anonymous researcher, the vulnerability enables unauthorized attackers to conduct spoofing attacks over a network. Microsoft has not yet released a permanent patch but has provided temporary mitigations. No specific details on the scale of exploitation or affected organizations were disclosed.