Microsoft Exchange Server Critical Vulnerability CVE-2026-42897 Allows JavaScript Execution

Microsoft discloses critical Exchange Server vulnerability CVE-2026-42897 allowing arbitrary JavaScript execution via OWA. Mitigations available but cause side effects; permanent fix pending.

Microsoft Exchange Server Critical Vulnerability CVE-2026-42897 Allows JavaScript Execution

Microsoft has disclosed a critical vulnerability in Exchange Server that allows arbitrary JavaScript execution through crafted emails in Outlook Web App (OWA). The flaw, tracked as CVE-2026-42897, affects Exchange Server 2016, 2019, and the new Exchange Server SE.

Mitigations come with side effects

Microsoft recommends two mitigations: enabling the Exchange EM Service or applying a scripted mitigation. Both workarounds come with side effects. OWA Print Calendar may stop working, inline images may not display correctly, and OWA light mode will be broken.

A permanent fix is in development. Exchange Server SE will receive a public update. For Exchange Server 2016 and 2019, the fix requires an Extended Security Updates (ESU) Period 2 subscription. Exchange Online is not affected by this vulnerability.

Microsoft has not confirmed a release date for the proper fix. The company advises administrators to apply one of the mitigations in the meantime.

Discussion

0 comments

Log in to join the thread with a thoughtful take, question, or correction.

Add to the discussion