Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper neutralization of input during web page generation, enabling cross‑site scripting that an authenticated attacker can exploit to spoof content on Microsoft SharePoint pages. The primary impact is the deception of users, allowing attackers to present falsified information or interfaces within the SharePoint environment.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019 and Microsoft SharePoint Server Subscription Edition are affected. No specific version or patch information is listed, so all current releases of these products may be vulnerable.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate risk, while no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires an authorized user, the attack vector is likely via legitimate credentials or an internal threat. An attacker who can edit or publish SharePoint pages can inject malicious scripts that appear as legitimate content, resulting in spoofing of trusted pages for other users.

Generated by OpenCVE AI on June 9, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply all relevant Microsoft SharePoint updates and cumulative security releases that address web page neutralization issues.
  • Restrict user permissions to limit who can edit or publish web parts and pages that could contain unsanitized input.
  • Enable and configure SharePoint’s built‑in XSS protection features or deploy a web application firewall that blocks or sanitizes malicious script payloads before they reach the browser.

Generated by OpenCVE AI on June 9, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Enterprise Server 2016 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:50:20.106Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47637

cve-icon Vulnrichment

Updated: 2026-06-09T18:03:48.478Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:35.660

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:15:05Z

Weaknesses