Attention: You are using an outdated browser, device or you do not have the latest version of JavaScript downloaded and so this website may not work as expected. Please download the latest software or switch device to avoid further issues.
| 18 May 2026 | |
| Written by Gabi Gerber | |
| Attacks & Threats |
| Hacking Topics, Security Operation Center |
The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue.
"Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network," the tech giant said in a Thursday advisory.
Microsoft, which tagged the vulnerability with an "Exploitation Detected" assessment, said an attacker could weaponize it by sending a crafted email to a user, which, when opened in Outlook Web Access and subject to other "certain interaction conditions," can allow arbitrary JavaScript code to be executed in the context of the web browser. More here
Threat actors can easily steal one-time passwords sent by text when they conduct a SIM swap attack. This can lead to account takeovers, so users must layer up their security measur… More...
A leaked GitHub token underscores what most organizations get wrong: Treating secrets management as a tooling problem ra… More...
In addition to executing entirely in memory, the malware's infection chain incorporates other anti-analysis techniques d… More...
The disgruntled researcher released yet another PoC for a Windows Defender bug that allows for system takeover, showing … More...
“Ghost-Sender" is the result of a widespread misconfiguration, according to researchers, and evidence indicates it's bei… More...
Threat actors can easily steal one-time passwords sent by text when they conduct a SIM swap attack. This can lead to account takeovers, so users must layer up their security measur… More...
A leaked GitHub token underscores what most organizations get wrong: Treating secrets management as a tooling problem ra… More...
In addition to executing entirely in memory, the malware's infection chain incorporates other anti-analysis techniques d… More...
The disgruntled researcher released yet another PoC for a Windows Defender bug that allows for system takeover, showing … More...
“Ghost-Sender" is the result of a widespread misconfiguration, according to researchers, and evidence indicates it's bei… More...
