Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, effectively a cross‑site scripting flaw. An attacker who already has authorized SharePoint access can insert crafted input that the server renders as part of an HTML page, allowing the attacker to display content as if it were coming from a trusted source and thus enabling spoofing over the network.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition are affected. No specific sub‑release information is provided, so all current releases within those products should be considered vulnerable.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate impact. Exploitation probability is unknown because EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an authenticated user within the SharePoint installation who can inject malicious input. Because it requires legitimate access, the risk is most pronounced in environments with weak user privilege controls or where page generation is exposed to external users. Protecting against this flaw requires applying the vendor’s patch and ensuring proper HTML escaping of all dynamic content, in line with CWE‑20 mitigation practices.

Generated by OpenCVE AI on June 9, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Microsoft security update that addresses CVE‑2026‑47641.
  • Review SharePoint permissions to limit who can add or modify pages, enforce least‑privilege, and consider disabling custom script capabilities if not required.
  • Configure SharePoint to restrict the use of custom scripts and prevent the injection of untrusted HTML content by tightening the Custom Script setting so that only trusted users can edit pages.

Generated by OpenCVE AI on June 9, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-20
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T17:48:46.277Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47641

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:36.150

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47641

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:30:13Z

Weaknesses