Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by improper neutralization of user input during web page generation in Microsoft SharePoint, resulting in a Cross‑Site Scripting flaw (CWE‑79). An attacker who is already authorized on the system can inject malicious content that permits spoofing over a network, potentially misleading other users or services and undermining trust in web pages served by SharePoint.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition are affected. The CVE references manufacturers that provide updates for these products, but specific version details are not disclosed in the CNA data.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, indicating a moderate impact. No EPSS score is available and it is not listed in CISA's KEV catalog, suggesting lower current exploitation likelihood. Because the exploit requires an authorized attacker, the risk is confined to environments where users possess privileged SharePoint access. Nevertheless, the ability to spoof users or systems can facilitate further attacks such as phishing or credential theft.

Generated by OpenCVE AI on June 9, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Microsoft's security portal for available patches or updates for SharePoint products.
  • Sandbox or restrict the execution of custom scripts or web parts that handle user input.
  • Enforce input validation and output encoding on any custom SharePoint components before deploying them.
  • Configure role‑based permissions to limit users with the ability to create or modify web pages or custom code to only trusted administrators.

Generated by OpenCVE AI on June 9, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T17:48:43.548Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47636

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:35.533

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:30:13Z

Weaknesses