Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Microsoft recommends installing the July 2026 Security Updates for your version of Exchange Server to be protected from this vulnerability. Customers who have installed the July 2026 Security Updates on all affected Exchange servers are fully protected and may safely remove the CVE-2026-42897 mitigation (which is similar in nature and mitigates CVE-2026-55008 also). Microsoft recommends keeping the Emergency Mitigation (EM) Service enabled to receive future emergency mitigations and security protections. For additional information, please see the Exchange blog post. How could an attacker exploit this vulnerability? An attacker could exploit this issue by sending a specifically crafted malicious email to the user. If the user opens this email, in Outlook Web Access, and certain conditions are met, arbitrary execution of JavaScript would occur in the browser context.
Michael Maturi with Google