CVE-2026-42897 represents an exploitable cross-site scripting vector in Microsoft Exchange Server's Outlook Web Access component. Arbitrary JavaScript execution occurs within the browser context when specific interaction conditions are satisfied during web page generation. This vulnerability was catalogued by CISA on their Known Exploited Vulnerabilities list, indicating active exploitation has been observed in operational environments.