CVE-2026-42897 — Microsoft Exchange Server: OWA stored-XSS, no permanent update, ESU gap

See § 1 for full operational framing. Key update this week: the Exchange Team Blog (2026-05-17) confirmed the EM Service mitigation requires active connectivity to officemitigations.microsoft.com — servers without EM Service enabled or without outbound connectivity to the Microsoft endpoint are unmitigated. Exchange 2016/2019 without ESU Period 2 are permanently stranded on mitigation-only posture. The DEVCORE Pwn2Own three-bug SYSTEM RCE chain (disclosed 2026-05-16 via ZDI) is a separate vulnerability class not yet formally linked to the OWA-XSS exploitation path.