Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Microsoft SharePoint implements cross‑site scripting by failing to neutralize data when rendering web pages. This weakness allows an authenticated attacker to embed malicious script into a page, potentially confusing or misdirecting other users through spoofed content. The vulnerability is a classic example of CWE‑79, where improper output encoding can lead to client‑side attacks.

Affected Systems

The flaw affects Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Specific version numbers are not disclosed, so all releases of these products remain vulnerable until an update is issued.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting limited or no known active exploitation. An attacker must be authenticated and have permissions to modify content to exploit the flaw, so the risk hinges on credential compromise or mis‑configured permissions. Exploitation would result in unauthorized content spoofing rather than remote code execution or data loss.

Generated by OpenCVE AI on June 9, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Microsoft security updates for SharePoint as soon as they are released
  • Configure a Content‑Security‑Policy or web‑application firewall to block or filter injected scripts
  • Limit content‑editing privileges to the smallest set of users necessary

Generated by OpenCVE AI on June 9, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Enterprise Server 2016 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-26T19:41:12.472Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47638

cve-icon Vulnrichment

Updated: 2026-06-10T14:22:48.626Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:35.777

Modified: 2026-06-10T16:07:38.817

Link: CVE-2026-47638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')