Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Published: 2026-06-09
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input in Microsoft SharePoint results in cross‑site scripting vulnerabilities that enable an authorized attacker to inject malicious HTML or JavaScript into web pages. When such content is viewed by users, the attacker can impersonate legitimate pages or content, potentially luring users to perform unintended actions such as submitting credentials or clicking malicious links.

Affected Systems

Microsoft SharePoint Server versions 2016, 2019, and the Subscription Edition are affected. No precise patch level information is available, so any installation of these products may be vulnerable unless patched by Microsoft.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate risk profile. Exploitability data is not currently available from EPSS and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need authorized access to the SharePoint environment to inject the malicious payload, so the attack vector is likely through legitimate administrative or content‑creation channels rather than a purely remote, unauthenticated method.

Generated by OpenCVE AI on June 9, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review the Microsoft advisory linked above to determine the specific update that addresses this XSS flaw
  • Apply the Microsoft patch or update for SharePoint Server 2016, 2019, or Subscription Edition as soon as it becomes available
  • Implement input validation and, where possible, a Content Security Policy to restrict script execution on untrusted content
  • Monitor SharePoint logs for unauthorized content modifications and periodically scan for injected scripts

Generated by OpenCVE AI on June 9, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition
Vendors & Products Microsoft sharepoint Enterprise Server 2016
Microsoft sharepoint Server Subscription Edition

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Title Microsoft SharePoint Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Sharepoint Enterprise Server 2016 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019 Sharepoint Server Subscription Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:51:05.559Z

Reserved: 2026-05-21T20:00:35.245Z

Link: CVE-2026-48562

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:44.760

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-48562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:00:14Z

Weaknesses