Skip to main content

Microsoft SharePoint CVE-2026-45659

| EUVDEUVD-2026-31518 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-05-22 microsoft GHSA-w3mh-jmwv-56f3
8.8
CVSS 3.1 · Vendor: microsoft
Temporal: 7.7
Share

Severity by source

Vendor (microsoft) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
7.7 HIGH
cvss

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Added to CISA KEV
Jul 01, 2026 - 20:02 CISA
Analysis Generated
May 22, 2026 - 22:48 vuln.today

DescriptionCVE.org

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

AnalysisAI

Authenticated remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) stems from unsafe deserialization of untrusted data (CWE-502), enabling an authorized attacker to run arbitrary code on the server over the network. CVSS 8.8 with low privileges required and no user interaction makes this attractive to post-authentication adversaries, though no public exploit identified at time of analysis and CVSS temporal data marks exploit code maturity as Unproven.

Technical ContextAI

Microsoft SharePoint is a widely deployed collaboration and document management platform that processes serialized .NET objects across many internal pipelines (web parts, workflows, BDC, view state, and event receivers). CWE-502 (Deserialization of Untrusted Data) occurs when an application reconstructs attacker-controlled serialized data into live objects without type or integrity validation, allowing gadget chains in BinaryFormatter, LosFormatter, NetDataContractSerializer, or similar .NET serializers to trigger arbitrary method invocations during the deserialization process. The affected CPEs - microsoft_sharepoint_enterprise_server_2016, microsoft_sharepoint_server_2019, and microsoft_sharepoint_server_subscription_edition - share the same core server-side object model and have historically been impacted by repeated deserialization flaws (e.g., the ToolPane and Workflow gadget chains), suggesting this issue lives in a similar server-side handler reachable by an authenticated user.

RemediationAI

Patch available per vendor advisory - apply the Microsoft security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659 to all affected SharePoint Enterprise Server 2016, Server 2019, and Subscription Edition farms, prioritizing internet-facing and multi-tenant deployments. Until the cumulative update can be staged through a maintenance window, compensating controls include restricting SharePoint user account provisioning to vetted identities (since PR:L is required), enforcing MFA on all SharePoint logins to slow credential-based pivoting, placing the SharePoint farm behind a WAF or reverse proxy that can block serialized .NET payload patterns (Base64 BinaryFormatter signatures, viewstate without MAC), and reviewing AntiXSS/AppLocker and AMSI integration on the web front-end servers to detect post-deserialization gadget execution. Note that WAF-based filtering of serialized payloads is fragile against encoding variations and should not be considered a substitute for the patch.

CVE-2026-56164 CRITICAL POC
9.8 Jul 14

Privilege elevation in Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, and Subscription Edition) lets

CVE-2026-58644 CRITICAL POC
9.8 Jul 14

Remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) all

CVE-2026-50522 CRITICAL
9.8 Jul 14

Remote code execution in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) lets an unauthenticated atta

CVE-2026-55040 CRITICAL
9.1 Jul 14

Security feature bypass in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) l

CVE-2026-58277 HIGH
8.8 Jul 14

Privilege elevation in Microsoft SharePoint Server (Enterprise Server 2016 and Server 2019) allows an authenticated netw

CVE-2026-55052 HIGH
8.8 Jul 14

Privilege escalation in Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, and Subscription Edition) lets

CVE-2026-55034 HIGH
8.7 Jul 14

Cross-site scripting (CWE-79) in on-premises Microsoft SharePoint Server allows an authenticated, low-privileged attacke

CVE-2026-55021 HIGH
8.7 Jul 14

Spoofing via stored cross-site scripting in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription

CVE-2026-55033 HIGH
7.8 Jul 14

Local code execution in Microsoft Word (and Office/SharePoint components that render Word content) stems from an integer

CVE-2026-55038 HIGH
7.8 Jul 14

Arbitrary code execution in Microsoft Office Word (and the broader Office/365/SharePoint family) arises from a stack-bas

CVE-2026-55132 HIGH
7.8 Jul 14

Local code execution in Microsoft Word (part of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for M

CVE-2026-55127 HIGH
7.8 Jul 14

Local code execution in Microsoft Word (and the wider Microsoft Office / Microsoft 365 Apps family) lets an unauthorized

Share

CVE-2026-45659 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy