Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of input during web page generation, a form of cross‑site scripting (CWE‑79) and related to improper handling of input (CWE‑74). A privileged user can inject malicious scripts into pages that are then served to other network participants, enabling the attacker to spoof content and impersonate legitimate users. This can lead to phishing, credential theft, or other forms of social engineering when the spoofed pages are accessed by other users.

Affected Systems

Affected systems include Microsoft SharePoint Server 2019 and Microsoft SharePoint Server Subscription Edition. No more granular version ranges are specified, so all deployments of these products are considered potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.3 indicates a high risk level, and the EPSS score of < 1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers require authorized access to the SharePoint environment, so the attack vector is likely a credential‑based web interaction. With a high CVSS score and a low EPSS score, administrators should monitor for updates and apply any available patches promptly.

Generated by OpenCVE AI on June 10, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Microsoft advisory for available updates or patches and apply any that address this XSS issue.
  • Configure SharePoint to enforce strict output encoding for all user‑generated content to prevent cross‑site scripting.
  • Restrict user permissions for page editing and review policies to the least privilege required, and monitor for anomalous injection attempts.

Generated by OpenCVE AI on June 10, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Server Subscription Edition

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2019
Weaknesses CWE-74
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-26T19:41:51.167Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47634

cve-icon Vulnrichment

Updated: 2026-06-10T13:46:29.060Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:35.300

Modified: 2026-06-10T20:49:24.287

Link: CVE-2026-47634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T00:00:14Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')