Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
AnalysisAI
Cross-site scripting in Microsoft SharePoint allows an authenticated low-privilege network attacker to inject malicious script content into SharePoint pages, enabling spoofing attacks against victim users who render the affected content. Three product lines are affected: SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, all at specific 16.0.x build levels. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.6 Medium score reflects meaningful risk reduction from the dual prerequisites of authenticated access and required victim interaction.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied input is insufficiently encoded or sanitized before being rendered as HTML output, allowing an attacker to embed executable script content into the SharePoint web interface. Microsoft SharePoint is a widely-deployed enterprise collaboration and document management platform built on ASP.NET; its rich content editing surfaces (pages, lists, web parts) represent common XSS injection points. The affected product lines - SharePoint Enterprise Server 2016 (build < 16.0.5556.1005), SharePoint Server 2019 (build < 16.0.10417.20153), and SharePoint Server Subscription Edition (build < 16.0.19725.20384) - all share the 16.0.x codebase, suggesting the flaw exists in a shared rendering component. The spoofing impact described by Microsoft is consistent with XSS patterns where injected content can impersonate UI elements or redirect user interactions within the trusted SharePoint origin.
RemediationAI
Apply vendor-released patches as follows: upgrade SharePoint Enterprise Server 2016 to build 16.0.5556.1005 or later, SharePoint Server 2019 to build 16.0.10417.20153 or later, and SharePoint Server Subscription Edition to build 16.0.19725.20384 or later, per the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47638. If immediate patching is not operationally feasible, restrict contributor and edit permissions to trusted users only, reducing the pool of accounts that can inject content into SharePoint pages and lists - note this may impact legitimate collaboration workflows. Deploying or tightening a Content Security Policy (CSP) header at the reverse proxy or WAF layer to restrict script execution origins can serve as a secondary control, but requires careful tuning to avoid breaking SharePoint's own JavaScript-dependent UI components. Monitor SharePoint audit logs for unusual page or list modifications by low-privilege accounts as a detection measure during the remediation window.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35511
GHSA-v273-fx7c-xfq2