Description
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Published: 2026-05-12
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from deserialization of untrusted data within Microsoft SharePoint, allowing an authorized attacker to execute code on the server. This flaw is classified as CWE-502 and can lead to full compromise of the affected system, granting the attacker control over confidentiality, integrity, and availability of the SharePoint environment.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition are affected. No specific patch versions are provided in the input beyond the product names.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. EPSS data is not available, so current exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a network-based exploit that requires an attacker to have authorized access or sufficient SharePoint permissions to trigger the deserialization process.

Generated by OpenCVE AI on May 12, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for CVE-2026-35439 as listed on the Microsoft Security Response Center
  • Configure SharePoint to use the latest verified configuration settings and restrict external access to the server
  • Ensure least‑privilege access controls are enforced so that only trusted accounts can execute actions that involve data deserialization

Generated by OpenCVE AI on May 12, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Title Microsoft SharePoint Server Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-502
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:57:23.260Z

Reserved: 2026-04-02T19:21:11.805Z

Link: CVE-2026-35439

cve-icon Vulnrichment

Updated: 2026-05-12T19:47:54.079Z

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:14.153

Modified: 2026-05-12T18:17:14.153

Link: CVE-2026-35439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:00:12Z

Weaknesses