Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Microsoft SharePoint implements cross‑site scripting by failing to neutralize data when rendering web pages. This weakness allows an authenticated attacker to embed malicious script into a page, potentially confusing or misdirecting other users through spoofed content. The vulnerability is a classic example of CWE‑79, where improper output encoding can lead to client‑side attacks.

Affected Systems

The flaw affects Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Specific version numbers are not disclosed, so all releases of these products remain vulnerable until an update is issued.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting limited or no known active exploitation. An attacker must be authenticated and have permissions to modify content to exploit the flaw, so the risk hinges on credential compromise or mis‑configured permissions. Exploitation would result in unauthorized content spoofing rather than remote code execution or data loss.

Generated by OpenCVE AI on June 9, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Microsoft security updates for SharePoint as soon as they are released
  • Configure a Content‑Security‑Policy or web‑application firewall to block or filter injected scripts
  • Limit content‑editing privileges to the smallest set of users necessary

Generated by OpenCVE AI on June 9, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T17:48:44.746Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47638

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:35.777

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:19Z

Weaknesses