Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
AnalysisAI
Stored or reflected cross-site scripting in Microsoft SharePoint Server enables an authenticated network attacker to perform spoofing attacks against other users by injecting malicious script into web page output. Affected products span three SharePoint Server product lines - 2016 Enterprise, 2019, and Subscription Edition - all on build version 16.0.x below their respective patched thresholds. Microsoft has released patches across all affected branches; no public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a class of flaws where attacker-controlled input is reflected or persisted into HTML output without adequate encoding or sanitization, causing the browser to execute injected script in the context of the targeted origin. SharePoint Server, as a web-based collaboration and document management platform, exposes numerous user-controlled input surfaces - page titles, metadata fields, web parts, list items - any of which could serve as the injection vector. The affected CPE spans SharePoint Server 2016 Enterprise (16.0.0 < 16.0.5556.1005), SharePoint Server 2019 (16.0.0 < 16.0.10417.20153), and SharePoint Server Subscription Edition (16.0.0 < 16.0.19725.20384), all sharing the same 16.0.x build versioning lineage. The network-accessible (AV:N) nature of SharePoint means the vulnerable endpoint is reachable without local system access.
RemediationAI
Patch available per vendor advisory - organizations should update to the patched builds identified in EUVD-2026-35542: SharePoint Server 2019 should be updated to build 16.0.10417.20153 or later; SharePoint Server Subscription Edition to 16.0.19725.20384 or later; SharePoint Enterprise Server 2016 to 16.0.5556.1005 or later. Patching guidance and download links are available through the Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45462. Until patching is complete, compensating controls include restricting SharePoint content-creation permissions to trusted users only (reducing the PR:L attacker pool), enabling Content Security Policy headers at the reverse proxy or WAF layer to limit script execution from injected payloads, and monitoring SharePoint audit logs for unusual page or list modifications by low-privilege accounts. Note that CSP enforcement may affect legitimate SharePoint web parts and should be tested in a staging environment before production rollout.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35542
GHSA-hvr7-96wf-c34f