Exchange Server XSS-to-Spoofing: CVE-2026-42897 Added to CISA KEV
A cross-site scripting flaw in on-premises Microsoft Exchange Server enables email spoofing via crafted messages. CISA added it to KEV on May 15 with a May 29 federal deadline.
The Vulnerability
On May 15, 2026, CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability is a spoofing bug in on-premises Microsoft Exchange Server stemming from a cross-site scripting (XSS) flaw, carrying a CVSS score of 8.1 (High). Federal agencies must apply mitigations by May 29, 2026.
The attack vector is a crafted email message that, when rendered by Outlook Web Access (OWA), executes attacker-controlled JavaScript in the context of the authenticated user session.
Why Exchange XSS Still Matters
On-premises Exchange Server remains widely deployed in government agencies, healthcare organizations, and financial institutions. Environments where email migration to cloud is slow due to compliance requirements or air-gap policies. These are exactly the environments where XSS-to-session-hijack chains have the highest impact.
An attacker who achieves JavaScript execution in an OWA session can:
- Read and send email as the victim
- Access contacts and calendar data
- Exfiltrate attachments
- Pivot to other Exchange administrative functions if the victim has elevated privileges
The CWE Mapping
CWE-79 (Cross-site Scripting): The root cause. Input from email message content is rendered without adequate sanitization in the OWA web interface.
CWE-451 (User Interface Misrepresentation of Critical Information): The spoofing component. The XSS payload can modify the displayed sender, subject, and message content, making phishing indistinguishable from legitimate internal mail.
CWE-116 (Improper Encoding or Escaping of Output): The email rendering pipeline does not consistently encode HTML entities in message body content before insertion into the DOM.
Mitigation
- Apply the May 2026 Exchange cumulative update immediately.
- Restrict OWA access to managed devices and enforce Content Security Policy headers if your Exchange version supports custom headers.
- Monitor for anomalous OWA sessions: unusual geographic origins, bulk email access, or mailbox delegation changes are indicators.
How Deva Detects XSS Patterns
Deva taint-mode rules for CWE-79 track data flow from user-controlled input sources (request parameters, message content, form fields) through to output sinks (DOM insertion, template rendering, response bodies). The scanner identifies missing sanitization and encoding at each output point, with rules covering all major web frameworks.
Deva Security Team
Threat research, application security analysis, and defensive engineering insights from the DevSecCode team.
Related Articles
Copy Fail: 732 Bytes to Root on Every Linux Distribution Since 2017
CVE-2026-31431 is a local privilege escalation in the Linux kernel cryptographic subsystem. A 732-byte Python script can edit a setuid binary in memory and obtain root. CISA added it to KEV on May 7.
Read moreNGINX Rift: An 18-Year-Old Heap Buffer Overflow Just Got a CVE and a PoC
CVE-2026-42945 is a critical heap buffer overflow in NGINX rewrite module that has existed since 2008. CVSS 9.2, public PoC, zero authentication required.
Read more