Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-03-10
Score: 8.1 High
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates from improper neutralization of input during web page generation, classified as CWE‑79 (cross‑site scripting). When the SharePoint server renders content to users, malicious input can be injected into the page, causing browsers to execute unintended scripts. This can lead attackers to display spoofed content or redirect users to malicious sites, effectively deceiving users over the network.

Affected Systems

Affected products are Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. Exact version numbers are not listed in the CVE data, so all listed product lines are considered impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of 1% suggests a low current likelihood of exploitation, and the vulnerability is not listed in the Center for Internet Security's Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the likely attack vector is a remote web‑based XSS where an attacker supplies untrusted input to a SharePoint page that is rendered to other users. The risk remains significant for environments that expose SharePoint sites to untrusted input or users with elevated privileges.

Generated by OpenCVE AI on June 18, 2026 at 13:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and apply the security update for the affected SharePoint products from the Microsoft Security Update Guide.
  • Upgrade to the latest SharePoint release that includes the fix.
  • Implement a content‑security policy or a web application firewall rule to block injection of malicious scripts until the patch is deployed.

Generated by OpenCVE AI on June 18, 2026 at 13:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Server Subscription Edition

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T18:17:45.833Z

Reserved: 2026-02-11T15:52:13.909Z

Link: CVE-2026-26105

cve-icon Vulnrichment

Updated: 2026-03-10T18:39:55.765Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:38.473

Modified: 2026-06-17T10:25:43.700

Link: CVE-2026-26105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:45:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')