Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, effectively a cross‑site scripting flaw. An attacker who already has authorized SharePoint access can insert crafted input that the server renders as part of an HTML page, allowing the attacker to display content as if it were coming from a trusted source and thus enabling spoofing over the network.

Affected Systems

Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition are affected. No specific sub‑release information is provided, so all current releases within those products should be considered vulnerable.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate impact. The EPSS score of < 1% indicates a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an authenticated user within the SharePoint installation who can inject malicious input. Because it requires legitimate access, the risk is most pronounced in environments with weak user privilege controls or where page generation is exposed to external users. Protecting against this flaw requires applying the vendor’s patch and ensuring proper HTML escaping of all dynamic content, in line with CWE‑20 mitigation practices.

Generated by OpenCVE AI on June 10, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Microsoft security update that addresses CVE‑2026‑47641.
  • Review SharePoint permissions to limit who can add or modify pages, enforce least‑privilege, and consider disabling custom script capabilities if not required.
  • Configure SharePoint to restrict the use of custom scripts and prevent the injection of untrusted HTML content by tightening the Custom Script setting so that only trusted users can edit pages.

Generated by OpenCVE AI on June 10, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:sharepoint_server:16.0.19725.20384:*:*:subscription:*:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2016:16.0.5556.1005:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:16.0.10417.20153:*:*:*:*:*:*		 cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:microsoft:sharepoint_server:16.0.19725.20384:*:*:subscription:*:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2016:16.0.5556.1005:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:16.0.10417.20153:*:*:*:*:*:*

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-20
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-26T19:41:13.503Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47641

cve-icon Vulnrichment

Updated: 2026-06-10T12:27:26.649Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:36.150

Modified: 2026-06-10T15:59:52.107

Link: CVE-2026-47641

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:00:17Z

Weaknesses