CVE-2026-42897: Microsoft Exchange Server Zero-Day Exploited in the Wild — No Permanent Patch, CISA Deadline May 29
CVE-2026-42897 is a CVSS 8.1 cross-site scripting zero-day in Microsoft Exchange Server’s Outlook Web Access, actively exploited in the wild. An attacker sends a crafted email — when the victim opens it in OWA, arbitrary JavaScript executes in their browser, hijacking their authenticated session. No permanent patch exists. CISA KEV listed. Federal deadline: May 29. Exchange Online is not affected. Apply the EOMT mitigation immediately.