Microsoft has disclosed a critical vulnerability in Exchange Server that allows arbitrary JavaScript execution through crafted emails in Outlook Web App (OWA). The flaw, tracked as CVE-2026-42897, affects Exchange Server 2016, 2019, and the new Exchange Server SE.
Mitigations come with side effects
Microsoft recommends two mitigations: enabling the Exchange EM Service or applying a scripted mitigation. Both workarounds come with side effects. OWA Print Calendar may stop working, inline images may not display correctly, and OWA light mode will be broken.
A permanent fix is in development. Exchange Server SE will receive a public update. For Exchange Server 2016 and 2019, the fix requires an Extended Security Updates (ESU) Period 2 subscription. Exchange Online is not affected by this vulnerability.
Microsoft has not confirmed a release date for the proper fix. The company advises administrators to apply one of the mitigations in the meantime.



Discussion
0 comments
Log in to join the thread with a thoughtful take, question, or correction.