Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
AnalysisAI
Stored cross-site scripting (XSS) in Microsoft SharePoint Server allows authenticated users to inject malicious scripts that execute in the browsers of other authorized users viewing affected web pages, enabling account spoofing and credential theft within enterprise collaboration environments. The vulnerability affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition across all versions prior to specific patch releases. CVSS score of 4.6 reflects low severity due to authentication requirement and user interaction needed, but real-world risk is elevated in multi-user SharePoint deployments where XSS can be weaponized for privilege escalation or lateral movement.
Technical ContextAI
This vulnerability is classified as improper input neutralization during HTML generation (CWE-79), a classic stored XSS flaw where user-supplied input is rendered into web pages without adequate sanitization or output encoding. SharePoint Server's web page generation mechanism fails to neutralize malicious script tags or event handlers submitted by authenticated users, allowing attacker-controlled payloads to persist in the application and execute with the privileges of subsequent site visitors. The affected products (SharePoint Enterprise Server 2016, Server 2019, and Subscription Edition) all use the same vulnerable code path for content rendering across document libraries, lists, and page publishing features. The vulnerability requires Network access vector and Low attack complexity, indicating it can be exploited through standard HTTP/HTTPS requests without special network positioning.
RemediationAI
Apply vendor-released security patches immediately: SharePoint Enterprise Server 2016 must be updated to 16.0.5548.1003 or later, SharePoint Server 2019 to 16.0.10417.20114 or later, and SharePoint Server Subscription Edition to 16.0.19725.20210 or later. Organizations unable to patch immediately should restrict SharePoint access to trusted internal networks and disable public-facing SharePoint sites until updates are deployed. Additionally, implement Content Security Policy (CSP) headers to restrict inline script execution and educate users to avoid clicking suspicious links within SharePoint content. Complete patching instructions and validation steps are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20945.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22355