Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, known as a cross‑site scripting flaw (CWE‑79). An attacker who already has authorized SharePoint access can inject malicious content that is rendered in the browser, allowing them to spoof page content or user interface elements. This can mislead users into believing they are interacting with legitimate SharePoint features, potentially facilitating social‑engineering or data‑exfiltration attempts.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. The issue applies to all pending releases of these products as listed, with no specific version range disclosed.

Risk and Exploitability

The CVSS score of 4.6 indicates a low to moderate impact, with no confirmed remote exploitation or code execution. EPSS is not available, and the vulnerability is not in the CISA KEV catalog. Likely exploitation requires an attacker to have legitimate edit permissions within SharePoint, then supply crafted input that the server fails to sanitize, resulting in client‑side script execution that displays spoofed content.

Generated by OpenCVE AI on June 9, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review and apply the latest SharePoint security updates from Microsoft via the update guide linked in the advisory.
  • Restrict editing permissions to trusted users only, and audit custom page content regularly to prevent unauthorized modifications.
  • Implement additional client‑side defenses such as content‑security‑policy headers and XSS filtering to reduce the impact of any remaining unsanitized input.

Generated by OpenCVE AI on June 9, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:49:35.461Z

Reserved: 2026-05-12T16:06:43.098Z

Link: CVE-2026-45467

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:21.213

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:00:11Z

Weaknesses