Description
Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Published: 2026-06-01
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements used in an OS command ('os command injection') in Microsoft Office SharePoint permits an authorized attacker to execute code over the network. The flaw allows the attacker to supply crafted input that is passed to the underlying operating system without proper escaping, enabling execution of arbitrary commands with the privileges of the SharePoint process. This results in remote code execution on the SharePoint server, potentially compromising confidentiality, integrity, and availability of the server and any services that rely on it.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019 and Microsoft SharePoint Server Subscription Edition are all affected. No specific version constraints are listed by Microsoft, so the vulnerability applies to all current releases of these products. The impact applies to the SharePoint web applications hosted on these servers.

Risk and Exploitability

The CVSS score of 8 indicates high severity, but the EPSS score of 0.00638 (less than 1%) suggests the likelihood of exploitation is very low at present. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is network based, requiring an attacker with authorized access to the SharePoint environment to supply the malicious payload. If such an attacker succeeds, they can execute code on the server with the permissions of the SharePoint process, potentially compromising the entire server and connected applications.

Generated by OpenCVE AI on June 18, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the Microsoft security update for SharePoint Server from the MSRC Advisory (CVE-2026-47294)
  • Restrict SharePoint user permissions to the minimum necessary for business functions to limit the attack surface of authorized users
  • Enable audit logs and monitor for unusual deserialization activities or code execution attempts

Generated by OpenCVE AI on June 18, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
Title Microsoft SharePoint Server Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-78
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Enterprise Server 2016 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T16:13:22.155Z

Reserved: 2026-05-18T23:53:33.897Z

Link: CVE-2026-47294

cve-icon Vulnrichment

Updated: 2026-06-02T13:03:53.295Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T19:16:53.897

Modified: 2026-06-03T18:42:52.503

Link: CVE-2026-47294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:30:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')