Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An execution flaw in Microsoft SharePoint Server allows an attacker with authorized access to insert arbitrary input into the web page generation process. The input is not properly neutralized, resulting in a classic cross‑site scripting condition that can be used to spoof the appearance or behavior of the site. The exploit can lead to users believing they are interacting with a legitimate page when, in fact, the attacker has injected deceptive content.

Affected Systems

The vulnerability impacts Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. Version information is not specified, so any release prior to the latest security update from Microsoft is potentially affected.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is unavailable, and the flaw is not listed in CISA’s KEV catalog, suggesting it is not widely exploited in the wild yet. The likely attack vector is web‑based; an attacker must have valid credentials or be able to submit content to the SharePoint instance to trigger the injection. If this condition is met, the attacker can present spoofed content to end users, undermining trust and potentially facilitating further social‑engineering or phishing attacks.

Generated by OpenCVE AI on June 9, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft SharePoint Server security update available from the Microsoft Security Response Center.
  • Restrict the set of users who can submit content to the web pages, and enforce least‑privilege policies to minimize the impact of an attacker who gains authorized access.
  • Implement or enforce input validation and output encoding controls on all content that flows from user input to the rendered web pages to prevent cross‑site scripting.

Generated by OpenCVE AI on June 9, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-502
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:51:04.923Z

Reserved: 2026-05-21T20:00:35.245Z

Link: CVE-2026-48560

cve-icon Vulnrichment

Updated: 2026-06-09T17:48:48.329Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:44.633

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-48560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:07Z

Weaknesses