Description
Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Published: 2026-01-13
Score: 8.8 High
EPSS: 17.9% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection flaw exists in Microsoft SharePoint Server. The flaw lies in the improper neutralization of special elements used in an SQL command, allowing malicious statements to be executed against the database. Because the injection occurs in code that is executed by the SharePoint engine, a successful exploit can result in arbitrary code execution on the server. The vulnerability is identified as CWE‑89 and is only reachable by an authenticated user who can access the SharePoint instance.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition are affected. No specific build or patch levels are listed in the advisory, so any installation of these products that has not applied the latest security update is at risk. The affected components are the SharePoint web services that construct SQL commands from user-supplied input.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity risk. The EPSS score of 18% suggests a moderate likelihood of exploitation in the wild, and the vulnerability is not yet listed in the CISA KEV catalog. The attack would be carried out over the network against a SharePoint instance for which the attacker already has authenticated access. Inferred from the description, the attacker needs legitimate credentials or permissions to trigger the injection, after which the execution of arbitrary code, data exfiltration, or denial of service could be achieved, compromising confidentiality, integrity, and availability of the SharePoint server.

Generated by OpenCVE AI on June 18, 2026 at 13:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Microsoft SharePoint Server to the latest patched release that addresses CVE‑2026‑20947.
  • Apply a network segmentation strategy or use firewalls and reverse‑proxy solutions to limit external exposure of SharePoint servers to the internet.
  • Enforce the principle of least privilege on all SharePoint administrative and service accounts, ensuring only the minimum permissions required for normal operation are granted.

Generated by OpenCVE AI on June 18, 2026 at 13:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 16 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Tue, 13 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Title Microsoft SharePoint Server Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-89
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:49:01.729Z

Reserved: 2025-12-04T20:04:16.339Z

Link: CVE-2026-20947

cve-icon Vulnrichment

Updated: 2026-01-13T20:22:14.271Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:22.167

Modified: 2026-06-17T10:18:05.823

Link: CVE-2026-20947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:45:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')