Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
AnalysisAI
Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker to inject malicious scripts into SharePoint-generated web pages, enabling spoofing attacks against other authenticated users. Affected products span three active SharePoint server product lines - Enterprise Server 2016, Server 2019, and Subscription Edition - all sharing the 16.0.x codebase, with vendor-released patches now available per MSRC. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting), indicating that SharePoint's web rendering layer fails to adequately sanitize attacker-supplied input before embedding it in HTML output delivered to other users' browsers. Microsoft SharePoint is an enterprise collaboration platform built on ASP.NET, providing document management, intranet portals, and list-based data sharing. All three affected product lines - SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition - share the version 16.0.x code base, per EUVD-2026-35578 CPE-aligned version data. The XSS condition allows injected script content to execute within the SharePoint web origin in a victim's browser, enabling session context abuse within that origin.
RemediationAI
Apply the vendor-released patches published by Microsoft Security Response Center. The fixed versions are: SharePoint Enterprise Server 2016 build 16.0.5556.1005 or later, SharePoint Server 2019 build 16.0.10417.20153 or later, and SharePoint Server Subscription Edition build 16.0.19725.20384 or later. Patch details and download links are available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47640. If immediate patching is not operationally feasible, reduce attack surface by restricting SharePoint content-creation and editing permissions to the minimum necessary set of users, since exploitation requires an authenticated contributor-level account - note that tightening permissions may impair normal collaboration workflows. If your SharePoint deployment supports custom HTTP response headers, enforcing a restrictive Content-Security-Policy can limit the runtime impact of injected scripts by constraining script execution origins, though this is a defense-in-depth measure and not a substitute for patching.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35578
GHSA-r9mh-796v-4gxx