Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: xss (4 articles)Clear

Microsoft finally patches actively exploited Exchange OWA spoofing zero-day

Microsoft has shipped the first full patch for an Exchange Server zero-day that attackers have been exploiting since May. The flaw (CVE-2026-42897) is a cross-site scripting bug in Outlook Web Access: an attacker emails a victim, and when the message is opened in OWA, malicious JavaScript runs inside the victim's authenticated session, allowing session-token theft and mailbox impersonation without ever touching the server. It affects Exchange Server 2016, 2019, and Subscription Edition, and CISA added it to its known-exploited list back in May. Until this week only temporary mitigations existed; the June security updates provide the permanent fix.

Check
Confirm the June 2026 security update is applied to all on-premises Exchange servers, and review OWA and mailbox audit logs for suspicious script activity or session hijacking since May.
Affected
On-premises Microsoft Exchange Server 2016, 2019, and Subscription Edition exposing Outlook Web Access (CVE-2026-42897), a spoofing and cross-site scripting flaw exploited in attacks since May.
Fix
Apply the June 2026 Exchange security update now to replace the earlier mitigation-only guidance, then reset potentially exposed OWA sessions and rotate credentials for affected mailboxes.

Microsoft Exchange OWA zero-day actively exploited via crafted email, no patch yet (CVE-2026-42897)

Just two days after a 138-fix Patch Tuesday that listed no zero-days, Microsoft disclosed CVE-2026-42897, an Exchange Server XSS-to-spoofing flaw it has tagged 'Exploitation Detected.' The bug is rated CVSS 8.1 and reported by an anonymous researcher. An unauthenticated attacker emails a crafted message; if the victim opens it in Outlook Web Access and meets certain interaction conditions, arbitrary JavaScript runs in the browser session context, enabling spoofing and session abuse. On-prem Exchange Server 2016, 2019, and Subscription Edition are affected; Exchange Online is not. No permanent patch exists yet, only mitigation through the Exchange Emergency Mitigation Service.

Check
Inventory all on-prem Exchange Server 2016, 2019, and Subscription Edition instances; check Exchange EM Service is enabled and the May 14 mitigation shows 'Applied'; review OWA web access logs for unusual JavaScript-triggering email opens and crafted-message indicators.
Affected
Microsoft Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and Exchange Server Subscription Edition RTM. Exchange Online customers are not affected. Risk is highest for internet-facing OWA deployments.
Fix
Confirm Exchange Emergency Mitigation Service is enabled (default since Sep 2021) and 'Applied' for CVE-2026-42897. If disabled, run EOMT.ps1 with the CVE flag. Permanent updates are coming for SE RTM, 2016 CU23, and 2019 CU14/CU15.

Instructure confirms ShinyHunters used Canvas XSS flaws to deface school login portals and pressure ransom

Instructure confirms that ShinyHunters exploited multiple cross-site scripting flaws in Canvas to deface school login portals on May 7, demanding the company and individual schools negotiate ransom by May 12. The flaws are in user-generated-content features of the free Free-for-Teacher Canvas environment and let the attacker grab authenticated admin sessions. This was a second hit following the original breach disclosed a week earlier that ShinyHunters claims netted 3.6 terabytes covering 8,809 educational organizations and 275 million student, teacher, and staff records. Instructure has taken Free-for-Teacher offline and applied additional safeguards; main Canvas has been restored since May 9.

Check
If your school uses Canvas, check whether students or staff saw the defaced login page on May 7. Review browser logs for any extension that interacted with injected ransom content.
Affected
Canvas instances accessed through the Free-for-Teacher environment between May 7 and Instructure taking it offline. The exploited cross-site scripting flaws sit in user-generated-content features that allowed JavaScript injection. Schools and universities running the paid Canvas LMS are also exposed to the underlying data breach that ShinyHunters used for extortion leverage.
Fix
Wait for Instructure's official statement on which XSS vulnerabilities were exploited and when Free-for-Teacher returns. For paid Canvas tenants, assume usernames, email addresses, course names, enrollment information, and direct messages were part of the 3.6TB leak and treat affected accounts as phishing targets. Force-rotate any API tokens issued for Canvas integrations and audit external integrations that accepted user-generated content.

Over 10,500 Zimbra servers still vulnerable to actively-exploited XSS as CISA gives federal agencies just three days to patch (CVE-2025-48700)

Shadowserver scan data published Friday shows over 10,500 Zimbra Collaboration Suite instances still unpatched against CVE-2025-48700, a Classic-UI XSS that Synacor fixed in June 2025 but CISA only added to KEV on April 20. Exposed servers split nearly evenly between Asia (3,794) and Europe (3,793). The flaw triggers when a victim simply views a crafted email - no clicks - and runs JavaScript inside their authenticated session for mailbox theft and MFA backup-code retrieval. Zimbra is a recurring APT target: Russia's Winter Vivern, APT29, and APT28 have all run Zimbra-XSS campaigns against NATO and Ukrainian targets.

Check
If you run Zimbra anywhere - including subsidiaries, acquired companies, and overseas regional offices - confirm patch status against CVE-2025-48700 today.
Affected
Zimbra Collaboration Suite 8.8.15, 9.0, 10.0, and 10.1 without the June 2025 security patches. Exploitation requires a user to view a crafted email in the Classic UI; servers using only the Modern UI are not exposed via this specific flaw, but related issues are addressed by the same patch. CVSS 6.1.
Fix
Apply the June 2025 patches across all instances. Where immediate patching is impossible, switch users to the Modern UI as a stopgap and remove webmail from direct internet exposure. Audit the past 60 days of mailbox audit logs for unusual TGZ archive creation, MFA backup-code retrieval, application-password generation, and bulk address-book access. Rotate application passwords issued during the vulnerable window.