Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
AnalysisAI
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker to perform spoofing attacks by injecting malicious script into web page content. Affected products include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition across all builds below their respective patched versions. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; the CVSS score of 4.6 reflects the mandatory user interaction and constrained confidentiality/integrity impact.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-supplied input is embedded into generated HTML responses without sufficient sanitization or encoding, enabling script injection. SharePoint is Microsoft's enterprise collaboration and document management platform built on ASP.NET; it renders rich web content from user contributions such as list items, page web parts, and site pages, making it a historically recurring target for stored or reflected XSS. The CVSS vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N indicates the injection is reachable over the network with low-complexity exploitation, but requires the victim to interact with attacker-influenced content and the attacker to hold at minimum a low-privilege SharePoint account. Affected CPE-equivalent products confirmed by EUVD: Microsoft SharePoint Enterprise Server 2016 (build < 16.0.5556.1005), SharePoint Server 2019 (build < 16.0.10417.20153), and SharePoint Server Subscription Edition (build < 16.0.19725.20384).
RemediationAI
Vendor-released patches are available for all three affected product lines. Upgrade Microsoft SharePoint Enterprise Server 2016 to build 16.0.5556.1005 or later, SharePoint Server 2019 to build 16.0.10417.20153 or later, and SharePoint Server Subscription Edition to build 16.0.19725.20384 or later. Apply updates via the Microsoft Update Catalog or WSUS following standard SharePoint patching procedures; note that SharePoint cumulative updates require installation on all servers in the farm and a PSConfig/Products Configuration Wizard run afterward, which entails a maintenance window and brief service interruption. The official advisory is at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45479. If immediate patching is not feasible, compensating controls include restricting SharePoint contribution rights to fully trusted internal accounts only (removing anonymous and external-user access), enabling SharePoint's built-in HTML field security to strip script tags from rich-text fields, and deploying a web application firewall rule to detect and block reflected XSS payloads in SharePoint HTTP responses - note that WAF rules cannot reliably block stored XSS variants and carry a risk of false positives on legitimate rich content.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35651
GHSA-8vm2-c62x-276c