Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of input during web page generation in Microsoft SharePoint manifests as a cross‑site scripting flaw. The vulnerability permits an authenticated attacker who can submit content to the web interface to cause the server to render malicious scripts that appear as legitimate SharePoint pages, resulting in spoofing over the network. The attack would allow the attacker to present false content to users, potentially misleading them about the authenticity of the SharePoint environment.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition are affected. No specific patch versions are listed, so all presently supported releases of these products are impacted until a vendor fix is applied.

Risk and Exploitability

The CVSS score of 5.4 signifies moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authorized access to the SharePoint environment; the most likely attack path involves submitting malicious input through the web interface, which the server echoes without proper encoding. The vulnerability therefore presents a moderate risk to the integrity and trustworthiness of the SharePoint interface.

Generated by OpenCVE AI on June 9, 2026 at 19:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for CVE‑2026‑33113 as detailed on the Microsoft update guide.
  • Limit or block user‑supplied script content in SharePoint web pages by configuring a web application firewall rule that rejects or sanitizes embedded <script> tags.
  • Enforce strict output encoding and a Content Security Policy that disallows inline scripts to prevent untrusted code from executing on page load.

Generated by OpenCVE AI on June 9, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Enterprise Server 2016 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:50:32.665Z

Reserved: 2026-03-17T20:15:23.720Z

Link: CVE-2026-33113

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:04.120

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-33113

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:17Z

Weaknesses