Description
Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper input validation flaw that permits an attacker without authorization to execute arbitrary code locally on Microsoft SharePoint Server installations. The flaw could allow the execution of malicious scripts or binaries with the privileges of the SharePoint service process, potentially compromising the integrity and confidentiality of the affected system and the data stored within it.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition are compromised when running unpatched versions. The vulnerability applies to all product releases identified by the Microsoft CNA that are listed in the known affected products.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% shows a very low probability of exploitation at the time of reporting. The vulnerability is not currently featured in the CISA KEV catalog. The attack vector is inferred to be remote, typically via malicious input sent over the network to SharePoint processes, because the flaw involves input validation in a web‑based component. A successful exploit would grant code execution rights to the attacker with the same privileges as the SharePoint service account.

Generated by OpenCVE AI on April 16, 2026 at 18:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the security update for Microsoft SharePoint Server 2016, 2019, and Subscription Edition that addresses the input validation flaw, as described in the Microsoft Security Update Guide.
  • Block external access to SharePoint Server services from untrusted networks using firewall rules or a reverse proxy to reduce the attack surface.
  • Enable detailed audit logging for SharePoint and review logs regularly to detect any anomalous activity after the update.

Generated by OpenCVE AI on April 16, 2026 at 18:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally.
Title Microsoft SharePoint Server Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-20
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:48:56.656Z

Reserved: 2025-12-04T20:04:16.339Z

Link: CVE-2026-20951

cve-icon Vulnrichment

Updated: 2026-01-13T19:32:30.344Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:22.833

Modified: 2026-01-14T19:22:17.313

Link: CVE-2026-20951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:15:43Z

Weaknesses