What is the CVSS score of CVE-2026-47294?

CVE-2026-47294 has a CVSS 3.1 base score of 8.0 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Microsoft SharePoint are affected by CVE-2026-47294?

Remote code execution vulnerability in Microsoft SharePoint Server (versions 2016, 2019, and Subscription Edition) enables authenticated users with low privileges to execute arbitrary code with full…. A patch is available.

How to fix or mitigate CVE-2026-47294?

Within 24 hours: Inventory all deployed SharePoint Server instances (versions 2016, 2019, Subscription Edition) and document user access scope. Within 7 days: Apply Microsoft security patch for CVE-2026-47294 to all affected instances and restart services. Within 30 days: Confirm patch deployment across all systems, review SharePoint access logs for unauthorized activity patterns, and establish monitoring for serialization-based attack attempts.

Microsoft SharePoint CVE-2026-47294

EUVD-2026-33745 HIGH

OS Command Injection (CWE-78)

2026-06-01 microsoft

GHSA-chp7-cgwg-984j

Microsoft Command Injection Deserialization Microsoft Sharepoint Enterprise Server 2016 Microsoft Sharepoint Server 2019 Microsoft Sharepoint Server Subscription Edition

8.0

CVSS 3.1 · Vendor: microsoft

Temporal: 7.0

Severity by source

Vendor (microsoft) PRIMARY

8.0 HIGH

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CIRCL (temporal)

7.0 HIGH

cvss

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 01, 2026 - 19:22 vuln.today

CVE Published

Jun 01, 2026 - 18:26 nvd

HIGH 8.0

DescriptionCVE.org

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft SharePoint Server (2016 Enterprise, 2019, and Subscription Edition) allows an authenticated attacker to execute arbitrary code on the server by submitting crafted serialized data that triggers unsafe deserialization. The CVSS 8.0 vector requires low privileges and user interaction, and no public exploit is identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain low-privileged SharePoint account

Delivery

Craft malicious serialized .NET payload

Exploit

Submit payload to vulnerable endpoint

Install

Lure authenticated user to trigger processing

Deserialization invokes gadget chain

Execute

Execute OS commands as service account

Impact

Pivot and exfiltrate enterprise data

Recon

Obtain low-privileged SharePoint account

Delivery

Craft malicious serialized .NET payload

Exploit

Submit payload to vulnerable endpoint

Install

Lure authenticated user to trigger processing

Deserialization invokes gadget chain

Execute

Execute OS commands as service account

Impact

Pivot and exfiltrate enterprise data

Vulnerability AssessmentAI

Exploitation	Attacker must hold a valid low-privileged SharePoint account (PR:L) on a vulnerable on-premises SharePoint Server 2016 Enterprise, 2019, or Subscription Edition deployment reachable over the network (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 8.0 vector (AV:N/AC:L/PR:L/UI:R) describes a network-reachable flaw with low complexity but requires both low-level authentication and user interaction, which materially reduces drive-by exploitation risk compared to a pre-auth RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained any low-privileged SharePoint account (for example via phishing or password spray) crafts a malicious serialized .NET payload and submits it to a vulnerable SharePoint endpoint, then induces a legitimate user to click a link or open a page that triggers processing of the payload. Deserialization invokes a gadget chain that executes attacker-chosen OS commands as the SharePoint service account, giving the attacker a foothold to harvest credentials, pivot to the SQL backend, or exfiltrate document libraries. …
Remediation	Apply the vendor-released security update available through Microsoft's monthly Patch Tuesday channel as documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47294, selecting the package matching your SharePoint SKU (2016 Enterprise, 2019, or Subscription Edition); exact KB numbers and fix builds should be retrieved directly from MSRC since they were not enumerated in the provided intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all deployed SharePoint Server instances (versions 2016, 2019, Subscription Edition) and document user access scope. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-47294 vulnerability details – vuln.today

Back

Microsoft SharePoint CVE-2026-47294

Severity by source

CVSS VectorVendor: microsoft

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code