Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
AnalysisAI
Cross-site scripting in Microsoft SharePoint Server (Subscription Edition, 2019, and 2016) enables an authenticated low-privileged attacker to inject malicious scripts into web pages served to other users, resulting in spoofing over the network. The CVSS vector (PR:L/UI:R/S:U) confirms exploitation requires valid credentials and victim interaction, constraining the attack surface to authenticated SharePoint environments where a user can be induced to visit attacker-controlled content. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a failure to sanitize user-controlled input before it is rendered as HTML or JavaScript in a web response. In SharePoint's context, this arises within its server-side page generation pipeline - likely in a content editing, list item, or web part rendering pathway - where attacker-supplied data is echoed back without adequate encoding or filtering. All three affected product lines share the 16.0.x version branch: SharePoint Server Subscription Edition (below 16.0.19725.20384), SharePoint Server 2019 (below 16.0.10417.20153), and SharePoint Enterprise Server 2016 (below 16.0.5556.1005). The unchanged scope (S:U) in the CVSS vector indicates the injected script executes within the SharePoint application's own security boundary rather than escaping to the host OS or adjacent applications.
RemediationAI
Apply Microsoft's vendor-released patches: upgrade SharePoint Server Subscription Edition to build 16.0.19725.20384 or later, SharePoint Server 2019 to build 16.0.10417.20153 or later, and SharePoint Enterprise Server 2016 to build 16.0.5556.1005 or later. Patch details and download links are available via the Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47637. If immediate patching is not feasible, restrict SharePoint site editing permissions to the minimum necessary set of trusted accounts to reduce the attacker's ability to inject content - note this does not eliminate risk if any low-privileged account is compromised. Additionally, enabling SharePoint's built-in HTML field security settings and auditing unusual content changes in web parts or list items can serve as a detection-oriented compensating control until the patch is applied.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35510
GHSA-vvhp-rjg5-26p6