CVE-2026-42897 is an improper input neutralization flaw (CVSS 8.1) affecting Exchange Server 2016, 2019, and Subscription Edition — Exchange Online is not affected. An attacker can send a crafted email that, when rendered by an Outlook client, triggers code execution and spoofing over the network. As of the May 14 disclosure, no security update has been released. Microsoft has activated the Exchange Emergency Mitigation Service automatically for eligible deployments and published a PowerShell-based Exchange On-premises Mitigation Tool as temporary relief; both mitigations carry side effects including loss of calendar printing and inline image rendering. The absence of a patch for an actively exploited high-severity flaw in widely deployed on-premises Exchange infrastructure elevates organizational risk significantly. Exchange 2016 and 2019 fixes are restricted to Period 2 Extended Security Update customers, while Subscription Edition customers should expect a public patch when ready. Organizations should verify that EEMS is active, apply the on-premises mitigation tool, and restrict inbound email processing until a patch is released.