Skip to main content

Microsoft SharePoint EUVDEUVD-2026-35510

| CVE-2026-47637 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 secure@microsoft.com GHSA-vvhp-rjg5-26p6
4.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
ENISA EUVD
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 19:35 vuln.today
Patch available
Jun 09, 2026 - 19:03 EUVD
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 4.6

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

AnalysisAI

Cross-site scripting in Microsoft SharePoint Server (Subscription Edition, 2019, and 2016) enables an authenticated low-privileged attacker to inject malicious scripts into web pages served to other users, resulting in spoofing over the network. The CVSS vector (PR:L/UI:R/S:U) confirms exploitation requires valid credentials and victim interaction, constraining the attack surface to authenticated SharePoint environments where a user can be induced to visit attacker-controlled content. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a failure to sanitize user-controlled input before it is rendered as HTML or JavaScript in a web response. In SharePoint's context, this arises within its server-side page generation pipeline - likely in a content editing, list item, or web part rendering pathway - where attacker-supplied data is echoed back without adequate encoding or filtering. All three affected product lines share the 16.0.x version branch: SharePoint Server Subscription Edition (below 16.0.19725.20384), SharePoint Server 2019 (below 16.0.10417.20153), and SharePoint Enterprise Server 2016 (below 16.0.5556.1005). The unchanged scope (S:U) in the CVSS vector indicates the injected script executes within the SharePoint application's own security boundary rather than escaping to the host OS or adjacent applications.

RemediationAI

Apply Microsoft's vendor-released patches: upgrade SharePoint Server Subscription Edition to build 16.0.19725.20384 or later, SharePoint Server 2019 to build 16.0.10417.20153 or later, and SharePoint Enterprise Server 2016 to build 16.0.5556.1005 or later. Patch details and download links are available via the Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47637. If immediate patching is not feasible, restrict SharePoint site editing permissions to the minimum necessary set of trusted accounts to reduce the attacker's ability to inject content - note this does not eliminate risk if any low-privileged account is compromised. Additionally, enabling SharePoint's built-in HTML field security settings and auditing unusual content changes in web parts or list items can serve as a detection-oriented compensating control until the patch is applied.

Share

EUVD-2026-35510 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy