Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-04-14
Score: 4.6 Medium
EPSS: 25.1% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker who is already authenticated can submit data that is rendered on a page without proper encoding. Based on the description, it is inferred that the attacker must have permissions to submit content, likely editing rights. Because the input is not neutralized, the attacker can insert scripts or misleading markup that causes the page to display spoofed elements. This allows the attacker to visually alter the SharePoint interface, potentially impersonating legitimate content and deceiving users.

Affected Systems

Affected systems include Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and the SharePoint Server Subscription Edition. All current releases of these products remain vulnerable until the appropriate security update is applied.

Risk and Exploitability

The CVSS score of 4.6 classifies this vulnerability as medium severity, and an EPSS probability of 25% indicates that exploitation is reasonably likely under the right conditions. The vulnerability is not listed in the CISA KEV catalog, which suggests no confirmed exploitation yet. Exploitation requires an authenticated user capable of submitting content but does not demand knowledge of privileged operations, meaning an insider or compromised account could trigger the attack. The resulting spoofing can undermine user trust and may facilitate social engineering or further compromise. Overall, the risk is moderate and warrants timely remediation.

Generated by OpenCVE AI on June 18, 2026 at 09:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for SharePoint Server 2016, 2019, and Subscription Edition via the Microsoft Security Update Guide or Windows Update.
  • Configure SharePoint to enforce proper encoding of user‑supplied data on all pages and disable raw HTML input where possible.
  • Restrict page editing rights to trusted users and audit changes to detect unauthorized content modifications.

Generated by OpenCVE AI on June 18, 2026 at 09:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Sharepoint Enterprise Server 2016 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T16:07:28.663Z

Reserved: 2025-12-04T20:04:16.339Z

Link: CVE-2026-20945

cve-icon Vulnrichment

Updated: 2026-04-14T19:03:48.052Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:16:43.737

Modified: 2026-06-17T10:18:05.593

Link: CVE-2026-20945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')