Description
Improper input validation in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Published: 2026-03-10
Score: 8.8 High
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is due to improper input validation in Microsoft SharePoint Server, which allows an authorized attacker to execute arbitrary code over the network. Because it enables remote code execution, an attacker could gain full control of the affected SharePoint instance and compromise data confidentiality, integrity, and availability. The weakness is identified as CWE-20 (Input Validation).

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition are affected. No specific sub‑versions are listed; the vulnerability applies to all builds of these products as indicated by the CPE entries in the advisory.

Risk and Exploitability

With a CVSS score of 8.8 the vulnerability is classified as High; the EPSS score of 1% indicates a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The exploit requires an authenticated attacker with administrative privileges; once authenticated, the attacker may send specially crafted requests to trigger code execution. The high severity and potential for full control make this a significant risk for affected SharePoint instances.

Generated by OpenCVE AI on June 18, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official Microsoft security update for SharePoint Server.
  • Limit administrative access by restricting trusted user accounts to the minimum necessary roles.
  • Implement network segmentation and firewall rules to restrict access to SharePoint from untrusted networks.

Generated by OpenCVE AI on June 18, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper input validation in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Title Microsoft SharePoint Server Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-20
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T18:18:05.371Z

Reserved: 2026-02-11T15:52:13.909Z

Link: CVE-2026-26106

cve-icon Vulnrichment

Updated: 2026-03-10T19:43:56.063Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:38.647

Modified: 2026-06-17T10:25:43.817

Link: CVE-2026-26106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:30:05Z

Weaknesses