CVE-2026-42897: the Exchange Server zero-day that triggers when you open an email in OWA
Microsoft has confirmed active exploitation of CVE-2026-42897, an XSS flaw in on-premises Exchange OWA that runs JavaScript the moment a crafted email is opened. What it means and how to contain it.
By Thilina Manana · COO y Director Técnico de Seguridad hard2bit