Microsoft Exchange Server CVE-2026-42897 lets an attacker execute arbitrary JavaScript in a victim's browser just by getting them to open an email in Outlook Web Access.

It is being exploited in the wild.

Microsoft classified it as... "spoofing." 🤔

Affected: on-premises Exchange Server 2016, 2019 and SE. Exchange Online is not impacted.