CVE-2026-42897: Exchange Server OWA Spoofing Flaw Exploited via Crafted Email

Microsoft disclosed CVE-2026-42897, an 8.1 CVSS XSS/spoofing vulnerability in on-premises Exchange Server OWA (2016, 2019, Subscription Edition) that can execute arbitrary JavaScript from a crafted email; exploitation in the wild has been observed, Exchange Online is not affected, and Microsoft recommends using the Exchange Emergency Mitigation Service or the Exchange On‑premises Mitigation Tool until a permanent patch is released.