Microsoft warned that threat actors are actively exploiting a new Exchange Server zero-day vulnerability tracked as CVE-2026-42897 (CVSS score 8.1).
The vulnerability is an improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server. An attacker can exploit the flaw to perform spoofing over a network.
“Improper neutralization of input during we...
