Skip to main content

Microsoft SharePoint EUVDEUVD-2026-35542

| CVE-2026-45462 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 secure@microsoft.com GHSA-hvr7-96wf-c34f
4.6
CVSS 3.1 · NVD
Temporal: 4.0
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
4.0 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 19:47 vuln.today
Patch available
Jun 09, 2026 - 19:03 EUVD
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 4.6

DescriptionNVD

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

AnalysisAI

Stored or reflected cross-site scripting in Microsoft SharePoint Server enables an authenticated network attacker to perform spoofing attacks against other users by injecting malicious script into web page output. Affected products span three SharePoint Server product lines - 2016 Enterprise, 2019, and Subscription Edition - all on build version 16.0.x below their respective patched thresholds. Microsoft has released patches across all affected branches; no public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a class of flaws where attacker-controlled input is reflected or persisted into HTML output without adequate encoding or sanitization, causing the browser to execute injected script in the context of the targeted origin. SharePoint Server, as a web-based collaboration and document management platform, exposes numerous user-controlled input surfaces - page titles, metadata fields, web parts, list items - any of which could serve as the injection vector. The affected CPE spans SharePoint Server 2016 Enterprise (16.0.0 < 16.0.5556.1005), SharePoint Server 2019 (16.0.0 < 16.0.10417.20153), and SharePoint Server Subscription Edition (16.0.0 < 16.0.19725.20384), all sharing the same 16.0.x build versioning lineage. The network-accessible (AV:N) nature of SharePoint means the vulnerable endpoint is reachable without local system access.

RemediationAI

Patch available per vendor advisory - organizations should update to the patched builds identified in EUVD-2026-35542: SharePoint Server 2019 should be updated to build 16.0.10417.20153 or later; SharePoint Server Subscription Edition to 16.0.19725.20384 or later; SharePoint Enterprise Server 2016 to 16.0.5556.1005 or later. Patching guidance and download links are available through the Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45462. Until patching is complete, compensating controls include restricting SharePoint content-creation permissions to trusted users only (reducing the PR:L attacker pool), enabling Content Security Policy headers at the reverse proxy or WAF layer to limit script execution from injected payloads, and monitoring SharePoint audit logs for unusual page or list modifications by low-privilege accounts. Note that CSP enforcement may affect legitimate SharePoint web parts and should be tested in a staging environment before production rollout.

Share

EUVD-2026-35542 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy