Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in Microsoft SharePoint’s web page rendering can lead to cross‑site scripting, allowing an authorized user to inject malicious content that appears legitimate to other users. This vulnerability can be exploited to spoof website elements and trick individuals into interacting with deceptive interfaces, potentially leading to credential theft or social engineering attacks.

Affected Systems

The affected products are Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. No specific version ranges are currently listed in the advisory, so the vulnerability likely applies to all releases of these products until a patch is released.

Risk and Exploitability

The CVSS base score of 5.4 indicates a moderate impact, and the absence of an EPSS rating means there is no publicly available data on exploit probability. The vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploitation yet. Because the flaw requires authorization, the attack surface is limited to users with editing or administrative privileges; compromised credentials or insider threat could therefore be used to perform spoofing.

Generated by OpenCVE AI on June 9, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest Microsoft SharePoint security update that addresses the XSS neutralization issue as soon as it is released.
  • Enforce strict input validation and output encoding for all user‑generated content, following best practices for preventing cross‑site scripting (CWE‑79).
  • Limit administrative and content‑editing permissions to the smallest set of users necessary, and regularly review user roles to prevent privilege abuse.
  • Consider disabling or restricting the use of custom web parts or script editor controls if they are not required for business processes.

Generated by OpenCVE AI on June 9, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Enterprise Server 2016 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-26T19:41:13.032Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47639

cve-icon Vulnrichment

Updated: 2026-06-10T13:37:22.955Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:35.900

Modified: 2026-06-10T16:06:37.510

Link: CVE-2026-47639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:45:18Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')