Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper neutralization of user input when SharePoint generates web pages. The resulting cross‑site scripting flaw can be leveraged by an authorised attacker to inject malicious scripts or modify page content, creating a network‑based spoofing scenario where users are presented with forged information that appears legitimate.

Affected Systems

The flaw applies to Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. No specific version numbers are listed; the vulnerability exists in installations that have not received the latest security update for this defect.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate severity. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed public exploits. Exploitation requires authenticated access to create or edit SharePoint content, implying that the attack vector is internal or requires privileged credentials. With those conditions, the attacker could use the compromised site to present spoofed content to visitors.

Generated by OpenCVE AI on June 9, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft SharePoint security updates that contain the fix for CVE‑2026‑45468.
  • Limit write permissions on sites that accept untrusted input to trusted users only, thereby reducing the scope of potential injection.
  • Configure a Content Security Policy for SharePoint sites to block inline scripts and constrain script execution to approved origins.

Generated by OpenCVE AI on June 9, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:49:36.274Z

Reserved: 2026-05-12T16:06:43.098Z

Link: CVE-2026-45468

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:21.340

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T19:30:12Z

Weaknesses