Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑site scripting in Microsoft SharePoint Server allows an authorized attacker to inject malicious input during web page generation, enabling page spoofing over the network. The improper neutralization of input (CWE‑79) means that crafted content can be rendered to users who navigate the affected pages, allowing an attacker to present deceptive or false information. This can undermine users’ confidence in the interface and facilitate social engineering attacks, though the description does not specify credential theft or phishing.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition are affected. No specific version numbers are provided, so any installed instance of these products is vulnerable unless a later update addresses the flaw.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation data. The likely attack vector is a local or network‑connected user with write or content‑injection privileges on the SharePoint web application. Because the vulnerability requires prior access to the SharePoint environment, the risk is contextual and depends on network segmentation and user role limits.

Generated by OpenCVE AI on June 9, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Consult the Microsoft Security Response Center advisory linked in the reference for any available update and apply the fix when released.
  • Implement strict content‑security policies on SharePoint sites to block execution of injected scripts and restrict origins from which scripts may be loaded.
  • Monitor SharePoint server logs for unusual page generation activity that could indicate exploitation attempts.
  • Apply least privilege and network segmentation controls to limit users’ ability to inject content into the SharePoint web application.

Generated by OpenCVE AI on June 9, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:49:51.950Z

Reserved: 2026-05-12T16:06:43.096Z

Link: CVE-2026-45453

cve-icon Vulnrichment

Updated: 2026-06-09T20:04:06.276Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:19.407

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:07Z

Weaknesses