Description
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Published: 2026-05-12
Score: 8.8 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authorizing user with network access can exploit unsafe deserialization of untrusted data in Microsoft Office SharePoint, which may allow arbitrary code execution on affected SharePoint servers. The weakness is classified as CWE‑502, reflecting insecure deserialization. The vulnerability can enable the attacker to compromise confidentiality, integrity, and availability of the SharePoint instance by running code with the privileges of the web service process.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition are listed as affected products. No specific version exclusions were provided, so all current builds of these products are considered vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, although EPSS data is unavailable and the issue is not currently listed in the CISA KEV catalogue. The likely attack surface requires an authenticated attacker who can initiate network traffic to the SharePoint server; thus the threat is confined to users with legitimate credentials or privileged administrative channels. Still, the high CVSS suggests that once exploitation is achieved, the attacker can take full control of the server environment.

Generated by OpenCVE AI on May 12, 2026 at 18:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft security update that addresses CVE‑2026‑33112 from the Microsoft Update Catalog or the Microsoft Security Advisory.
  • Restrict network access to SharePoint servers using firewall or segmentation so that only trusted administrative hosts can reach the SharePoint endpoints.
  • Employ strict role‑based access control so that only users with the minimal required permissions can upload or modify data that might trigger the deserialization scenario.

Generated by OpenCVE AI on May 12, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Server Subscription Edition

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Title Microsoft SharePoint Server Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-502
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-02T23:17:00.227Z

Reserved: 2026-03-17T20:15:23.720Z

Link: CVE-2026-33112

cve-icon Vulnrichment

Updated: 2026-05-12T19:20:38.149Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:03.687

Modified: 2026-05-13T20:53:28.320

Link: CVE-2026-33112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:00:10Z

Weaknesses