Microsoft is warning users about a newly disclosed zero-day vulnerability in Exchange Server that's being actively exploited in the wild. The flaw, tracked as CVE-2026-42897, is a spoofing and cross-site scripting issue that allows attackers to execute arbitrary JavaScript when targeted users open specially crafted emails in Outlook Web Access. Microsoft has released mitigation guidance while working on a permanent patch, and the vulnerability affects Exchange Server 2016, 2019, and Subscription Edition.