Microsoft Office SharePoint has an XSS weakness that occurs when the system fails to neutralize certain user-controlled input during web page rendering. An attacker who can legitimately interact with SharePoint—such as a user with content editing or administrative privileges—can inject malicious script fragments into pages or elements that the platform then reflects back to users without proper encoding. This capability enables the attacker to display false information or fake administrative responses (spoofing) over the network, potentially deceiving users into revealing credentials or executing unintended actions. The vulnerability has a CVSS score of 4.6, indicating moderate severity. The exploitation likelihood is not publicly available, and it has not been observed in the CISA KEV catalog. Exploitation requires authentic access within a SharePoint environment and the ability to inject content that is subsequently displayed to other users.

The flaw affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Subscription Edition. No specific affected release dates or version ranges were listed in the CNA data, so any installation of these product lines may be vulnerable until a patch is applied.

The CVSS rating reflects that the attack vector is remote, local access or network access with authenticated privileges is needed, and the impact is primarily on integrity for the web pages presented. Since the EPSS score is not available, it is unclear how frequently the flaw is being exploited in the wild. The lack of KEV inclusion suggests no large-scale exploitation has yet been reported. Nonetheless, an attacker with the necessary privileges can leverage the XSS to trick legitimate users into performing actions within the SharePoint environment, potentially leading to data tampering or credential theft.