Key Findings Microsoft Exchange Server vulnerability CVE-2026-42897 is actively being exploited in the wild Cross-site scripting flaw with CVSS score of 8.1 enables spoofing and arbitrary JavaScript execution Vulnerability affects on-premises Exchange Server 2016, 2019, and Subscription Edition at any update level Exchange Online is not impacted Temporary mitigation available through Exchange Emergency Mitigation Service; permanent patch in development Attackers deliver explo