The vulnerability is an improper neutralization of input during web page generation (CWE‑79), commonly known as XSS. Key detail from the vendor: "Improper neutralization of input during web page generation ('cross‑site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network." This flaw can allow an attacker to inject malicious scripts that masquerade as legitimate SharePoint content, potentially deceiving users and facilitating phishing or other social engineering attacks. The primary impact is deception and the potential for further exploitation based on user interaction with the spoofed content.

Affected products are Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. Specific version numbers are not provided in the CVE data, so all listed product lines are considered impacted.

The CVSS score of 8.1 indicates high severity. EPSS is reported as <1%, suggesting a low likelihood of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote web‑based XSS where an attacker supplies untrusted input to a SharePoint page that is rendered to users, producing spoofed content or phishing interfaces. The risk is significant for environments that expose SharePoint sites to untrusted input or users with elevated privileges.