Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in Microsoft SharePoint web page generation permits an authenticated attacker to inject malicious script, leading to spoofing of the site interface. The attacker can modify or fabricate elements of a SharePoint page, potentially deceiving users into trusting false content or credentials. This affects confidentiality and integrity of the displayed data and can undermine user trust in the platform.

Affected Systems

The vulnerability impacts Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. Specific patched versions are not listed in the data, so any installation of these products that has not applied the latest security update is exposed.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity. The vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly confirmed exploits at the time of reporting. The likely attack vector requires an authorized user with the ability to input content into SharePoint, implying that if credentials are compromised or users are careless with permissions, the attacker could exploit the flaw easily.

Generated by OpenCVE AI on June 9, 2026 at 19:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update that addresses CVE-2026-45481 to all affected SharePoint servers
  • Validate and sanitize all user‑supplied input in custom web parts or pages according to Microsoft’s best‑practice guidelines
  • Restrict write permissions on SharePoint content to the minimum necessary set of users to reduce the chance that an authenticated attacker can inject malicious script

Generated by OpenCVE AI on June 9, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Server Subscription Edition

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:51:03.010Z

Reserved: 2026-05-12T16:07:22.617Z

Link: CVE-2026-45481

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:22.417

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:00:14Z

Weaknesses