Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in Microsoft SharePoint’s web page rendering can lead to cross‑site scripting, allowing an authorized user to inject malicious content that appears legitimate to other users. This vulnerability can be exploited to spoof website elements and trick individuals into interacting with deceptive interfaces, potentially leading to credential theft or social engineering attacks.

Affected Systems

The affected products are Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. No specific version ranges are currently listed in the advisory, so the vulnerability likely applies to all releases of these products until a patch is released.

Risk and Exploitability

The CVSS base score of 5.4 indicates a moderate impact, and the absence of an EPSS rating means there is no publicly available data on exploit probability. The vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploitation yet. Because the flaw requires authorization, the attack surface is limited to users with editing or administrative privileges; compromised credentials or insider threat could therefore be used to perform spoofing.

Generated by OpenCVE AI on June 9, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest Microsoft SharePoint security update that addresses the XSS neutralization issue as soon as it is released.
  • Enforce strict input validation and output encoding for all user‑generated content, following best practices for preventing cross‑site scripting (CWE‑79).
  • Limit administrative and content‑editing permissions to the smallest set of users necessary, and regularly review user roles to prevent privilege abuse.
  • Consider disabling or restricting the use of custom web parts or script editor controls if they are not required for business processes.

Generated by OpenCVE AI on June 9, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T17:48:45.808Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47639

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:35.900

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:19Z

Weaknesses