Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
AnalysisAI
Path traversal in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) enables an authenticated low-privileged attacker to execute code over a network by escaping the intended directory scope. Affected builds span all three actively maintained SharePoint Server product lines, with vendor-confirmed patches available for each. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA KEV catalog; however, the low attack complexity (AC:L) and no user interaction requirement (UI:N) make it a credible target for exploitation once an attacker has any valid SharePoint credential.
Technical ContextAI
CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) describes a class of vulnerability where user-controlled path segments - such as '../' sequences or absolute path references - are not adequately sanitized before being used to access filesystem or web resources. In SharePoint's case, the affected code path likely involves a server-side file operation (document library access, page rendering, or a REST/SOAP endpoint) that accepts a caller-supplied path and resolves it without sufficiently canonicalizing or bounding it within the SharePoint web root or content database directory. The CPE-implied scope covers Microsoft SharePoint Server 2016 (all 16.0.x builds prior to 16.0.5556.1005), SharePoint Server 2019 (all 16.0.x builds prior to 16.0.10417.20153), and SharePoint Server Subscription Edition (all 16.0.x builds prior to 16.0.19725.20384). All three product lines share the same major version branch (16.0), suggesting a common code ancestry and a coordinated patch across all three.
RemediationAI
The primary remediation is to apply the Microsoft-released patches for each affected product line. Upgrade Microsoft SharePoint Server 2019 to build 16.0.10417.20153 or later, Microsoft SharePoint Server Subscription Edition to build 16.0.19725.20384 or later, and Microsoft SharePoint Enterprise Server 2016 to build 16.0.5556.1005 or later. Patches are confirmed available per vendor (reported by secure@microsoft.com); full details are at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45454. If immediate patching is not feasible, compensating controls include restricting SharePoint access to known trusted user accounts and IP ranges at the perimeter or WAF layer to prevent low-privilege external users from reaching the vulnerable endpoint - note this does not protect against internal threat actors. Additionally, auditing SharePoint ULS logs for path traversal patterns (sequences containing '../', '%2e%2e', or absolute path references in request URLs) can help detect exploitation attempts. Disabling anonymous or externally federated authentication temporarily reduces the authenticated low-privilege attack surface but may impact business functionality.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35538
GHSA-j6gx-wmw5-cqj8