CVE-2026-42897: Exchange Server Zero-Day Executes JavaScript Through Your Inbox
Microsoft's on-prem Exchange Server has an actively exploited XSS zero-day (CVSS 8.1). A single crafted email in OWA triggers arbitrary JavaScript — here's how it works and how to stop it.