Description
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from deserialization of untrusted data in Microsoft Office SharePoint, enabling an authorized attacker with existing credentials to execute code remotely. This flaw is classified as CWE-1220 and can lead to full control over the SharePoint server, jeopardizing confidentiality, integrity, and availability of the entire environment.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Subscription Edition are affected. Any installation of these products that has not received the relevant security update is vulnerable, regardless of deployment environment or governance model.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score of 0.00071 indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is over a network from an attacker who already holds authorized credentials but can exploit overly permissive access. Exploitation requires the attacker to interact with vulnerable components, which may limit the threat to internal or compromised accounts rather than the general public.

Generated by OpenCVE AI on June 1, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft SharePoint security update released for the affected versions, available from the Microsoft Security Update Guide.
  • Reconfigure SharePoint permission levels to ensure that authorized users have only the minimum rights necessary for their role, eliminating over‑permission for sensitive components.
  • Restrict network accessibility to the SharePoint servers by implementing firewall rules or a web application firewall that blocks unauthenticated or suspicious requests targeting the vulnerable components.

Generated by OpenCVE AI on June 1, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Insufficient granularity of access control in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Wed, 13 May 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Insufficient granularity of access control in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Title Microsoft SharePoint Server Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-1220
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-02T23:17:10.815Z

Reserved: 2026-04-11T23:06:15.614Z

Link: CVE-2026-40365

cve-icon Vulnrichment

Updated: 2026-05-12T19:12:01.467Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T18:17:15.483

Modified: 2026-06-01T19:16:34.737

Link: CVE-2026-40365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:45:22Z

Weaknesses