Skip to main content

Microsoft EUVDEUVD-2026-22355

| CVE-2026-20945 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-14 microsoft
4.6
CVSS 3.1 · NVD
Temporal: 4.0
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
4.0 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 18:50 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22355
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:56 nvd
MEDIUM 4.6

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

AnalysisAI

Stored cross-site scripting (XSS) in Microsoft SharePoint Server allows authenticated users to inject malicious scripts that execute in the browsers of other authorized users viewing affected web pages, enabling account spoofing and credential theft within enterprise collaboration environments. The vulnerability affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition across all versions prior to specific patch releases. CVSS score of 4.6 reflects low severity due to authentication requirement and user interaction needed, but real-world risk is elevated in multi-user SharePoint deployments where XSS can be weaponized for privilege escalation or lateral movement.

Technical ContextAI

This vulnerability is classified as improper input neutralization during HTML generation (CWE-79), a classic stored XSS flaw where user-supplied input is rendered into web pages without adequate sanitization or output encoding. SharePoint Server's web page generation mechanism fails to neutralize malicious script tags or event handlers submitted by authenticated users, allowing attacker-controlled payloads to persist in the application and execute with the privileges of subsequent site visitors. The affected products (SharePoint Enterprise Server 2016, Server 2019, and Subscription Edition) all use the same vulnerable code path for content rendering across document libraries, lists, and page publishing features. The vulnerability requires Network access vector and Low attack complexity, indicating it can be exploited through standard HTTP/HTTPS requests without special network positioning.

RemediationAI

Apply vendor-released security patches immediately: SharePoint Enterprise Server 2016 must be updated to 16.0.5548.1003 or later, SharePoint Server 2019 to 16.0.10417.20114 or later, and SharePoint Server Subscription Edition to 16.0.19725.20210 or later. Organizations unable to patch immediately should restrict SharePoint access to trusted internal networks and disable public-facing SharePoint sites until updates are deployed. Additionally, implement Content Security Policy (CSP) headers to restrict inline script execution and educate users to avoid clicking suspicious links within SharePoint content. Complete patching instructions and validation steps are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20945.

Share

EUVD-2026-22355 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy