Description
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Published: 2026-05-22
Score: 8.8 High
EPSS: 3.0% Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in Microsoft Office SharePoint enables an authorized attacker to execute code over the network. The flaw maps to CWE-502, indicating unsafe deserialization of external data. The consequence is a full compromise of the SharePoint server, allowing the attacker to run arbitrary code with the privileges of the executing account.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition are affected. Version details are not supplied, so it is unclear whether the vulnerability is limited to specific releases.

Risk and Exploitability

The vulnerability carries a high severity CVSS score of 8.8. The EPSS score of 3 % (≈0.03) indicates a low exploitation probability. The vulnerability was recently added to the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is an authenticated SharePoint user who uploads or manipulates data that will be deserialized by the server. An attacker could therefore immediately gain code execution on the SharePoint web server or services running under its context.

Generated by OpenCVE AI on July 3, 2026 at 09:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update that Microsoft has released for the affected SharePoint Server versions, as documented on the Microsoft Security Response Center update guide.
  • Restrict or disable any custom deserialization routines and limit uploads of untrusted data to only authorized workflows to reduce the attack surface.
  • Monitor SharePoint server logs and security alerts for abnormal deserialization or code execution activity, and respond promptly if suspicious events are detected.

Generated by OpenCVE AI on July 3, 2026 at 09:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 21:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-07-01T00:00:00+00:00', 'dueDate': '2026-07-04T00:00:00+00:00'}


Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Tue, 26 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 23 May 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition

Fri, 22 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Title Microsoft SharePoint Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-502
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Sharepoint Enterprise Server 2016 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-07-02T03:55:16.135Z

Reserved: 2026-05-12T20:33:35.158Z

Link: CVE-2026-45659

cve-icon Vulnrichment

Updated: 2026-05-26T10:54:30.831Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-22T23:16:56.273

Modified: 2026-06-17T10:52:25.703

Link: CVE-2026-45659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T09:45:05Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data