Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw that occurs when SharePoint does not properly neutralize input during web page generation. This flaw can be abused by an authenticated attacker to inject malicious scripts that cause the server to present a forged page to other users, effectively enabling user or session spoofing. The impact is therefore the ability to impersonate or misrepresent users or content, potentially undermining trust in the system's authenticity.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition are affected. No specific version numbers are listed but all builds of these products are included.

Risk and Exploitability

The CVSS score of 4.6 indicates low overall severity. Exploit probability data is not available, and the vulnerability is not listed in CISA's KEV catalog. The attack likely requires the attacker to have legitimate credentials or authorized access to the SharePoint environment, after which they can inject malicious input into a page. No known publicly available exploits are reported at the time of this analysis.

Generated by OpenCVE AI on June 9, 2026 at 19:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update for SharePoint Server 2016, 2019, and Subscription Edition to address the XSS flaw
  • Restrict modification permissions so that only trusted users can create or edit pages that could contain untrusted input
  • Enable or reinforce SharePoint’s input validation and sanitization features to block unsanitized data from being rendered in web pages
  • Monitor SharePoint logs and user activity for signs of spoofed or malicious pages

Generated by OpenCVE AI on June 9, 2026 at 19:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:16.0.19725.20384:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2016:16.0.5556.1005:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:16.0.10417.20153:*:*:*:*:*:*		 cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:16.0.19725.20384:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2016:16.0.5556.1005:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:16.0.10417.20153:*:*:*:*:*:*

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T17:54:38.693Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47640

cve-icon Vulnrichment

Updated: 2026-06-10T14:12:16.107Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:36.023

Modified: 2026-06-10T16:01:00.930

Link: CVE-2026-47640

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:00:13Z

Weaknesses