Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network-reachable deserialization (AV:N/PR:N/UI:N/AC:L) yielding code execution in the SharePoint web app with full C/I/A impact and no scope change.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) lets an unauthenticated attacker run arbitrary code by sending a crafted serialized payload over the network. The flaw is an untrusted-data deserialization (CWE-502) rated CVSS 9.8 with PR:N/UI:N, meaning no credentials or user interaction are required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network access to a vulnerable SharePoint Server endpoint that deserializes attacker-controlled data; the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms unauthenticated remote exploitation with no user interaction against affected on-premises SharePoint 2016/2019/Subscription Edition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a SharePoint web front end sends a single crafted HTTP request containing a malicious serialized .NET object to a vulnerable endpoint. When SharePoint deserializes the payload, a gadget chain executes attacker-supplied code in the context of the SharePoint web application, yielding code execution on the server without any credentials or user interaction. … |
| Remediation | Patch available per vendor advisory: apply the Microsoft security update for CVE-2026-50522 to all SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition front-end and application servers; obtain the exact KB and fixed build from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50522 (the input does not include a specific build number, so confirm it there before deploying). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, conduct a complete inventory of all SharePoint 2016, 2019, and Subscription Edition deployments, identify internet-exposed instances, and implement emergency network access controls to restrict external connectivity if the service is not operationally critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Privilege elevation in Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, and Subscription Edition) lets
Authenticated remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Editi
Remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) all
Security feature bypass in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) l
Privilege elevation in Microsoft SharePoint Server (Enterprise Server 2016 and Server 2019) allows an authenticated netw
Privilege escalation in Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, and Subscription Edition) lets
Cross-site scripting (CWE-79) in on-premises Microsoft SharePoint Server allows an authenticated, low-privileged attacke
Spoofing via stored cross-site scripting in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription
Local code execution in Microsoft Word (and Office/SharePoint components that render Word content) stems from an integer
Arbitrary code execution in Microsoft Office Word (and the broader Office/365/SharePoint family) arises from a stack-bas
Local code execution in Microsoft Word (part of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for M
Local code execution in Microsoft Word (and the wider Microsoft Office / Microsoft 365 Apps family) lets an unauthorized
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43767
GHSA-ww8x-9jc5-9v7f