Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of input during web page generation, a form of cross‑site scripting (CWE‑74). A privileged user can inject malicious scripts into pages that are then served to other network participants, enabling the attacker to spoof content and impersonate legitimate users. This can lead to phishing, credential theft, or other forms of social engineering when the spoofed pages are accessed by other users.

Affected Systems

Affected systems include Microsoft SharePoint Server 2019 and Microsoft SharePoint Server Subscription Edition. The CVE description does not specify more granular version ranges, so all deployments of these products are considered potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.3 indicates a high risk level, and the exploitability metric is not publicly available, meaning it is unclear how likely an attacker can exploit this remotely. The vulnerability is not listed in the CISA KEV catalog. Attackers require authorized access to the SharePoint environment, so the attack vector is likely a credential‑based web interaction. With medium to high risk and the need for privileged credentials, administrators should prioritize patching.

Generated by OpenCVE AI on June 9, 2026 at 19:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft SharePoint Server 2019 security update or subscription update that addresses this XSS issue.
  • Configure SharePoint to enforce strict output encoding for all user‑generated content to prevent cross‑site scripting.
  • Restrict user permissions for page editing and review policies to the least privilege required, and monitor for anomalous injection attempts.

Generated by OpenCVE AI on June 9, 2026 at 19:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2019
Weaknesses CWE-74
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:51:00.829Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47634

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:35.300

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T19:45:12Z

Weaknesses