Skip to main content

Microsoft SharePoint EUVDEUVD-2026-35645

| CVE-2026-45468 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 secure@microsoft.com GHSA-rrcf-jg65-9c46
5.4
CVSS 3.1 · NVD
Temporal: 4.0
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
4.0 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Jun 11, 2026 - 02:52 NVD
4.6 (MEDIUM) 5.4 (MEDIUM)
Analysis Generated
Jun 09, 2026 - 19:45 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 4.6

DescriptionNVD

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

AnalysisAI

Cross-site scripting in Microsoft SharePoint Server allows an authenticated low-privileged attacker to inject malicious scripts into SharePoint-generated web pages, enabling spoofing attacks against other authenticated users over the network. Three product lines are confirmed affected: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, each with specific patched build thresholds. No public exploit code has been identified at time of analysis, and Microsoft has released patches for all three product lines.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes a class of vulnerabilities where user-controlled input is incorporated into dynamically generated HTML without adequate encoding or sanitization, allowing injection of executable script content. In Microsoft SharePoint, this manifests in the web page rendering layer - likely within content editing, list items, or page field inputs - where attacker-controlled data is reflected or stored and later served to other users without proper output encoding. CPE-confirmed affected products are Microsoft SharePoint Server Subscription Edition (baseline 16.0.0, fixed at 16.0.19725.20384), SharePoint Server 2019 (baseline 16.0.0, fixed at 16.0.10417.20153), and SharePoint Enterprise Server 2016 (baseline 16.0.0, fixed at 16.0.5556.1005). The CVSS vector AV:N/AC:L/PR:L/UI:R/S:U indicates a network-reachable, low-complexity attack requiring low-privilege authentication and victim interaction, with unchanged scope and limited confidentiality and integrity impact.

RemediationAI

The primary fix is to update to the Microsoft-released patched builds: SharePoint Server Subscription Edition to build 16.0.19725.20384 or later, SharePoint Server 2019 to build 16.0.10417.20153 or later, and SharePoint Enterprise Server 2016 to build 16.0.5556.1005 or later. Patch details and download links are available via the Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45468. As a compensating control prior to patching, organizations can restrict the ability of low-privileged or guest users to create or edit SharePoint pages and list content - this directly removes the injection surface but may impact collaboration workflows. Additionally, enforcing strict Content Security Policy (CSP) headers at the WAF or reverse-proxy layer can reduce the exploitability of reflected or stored XSS by blocking inline script execution, though SharePoint's reliance on JavaScript-heavy UI may require careful policy tuning to avoid breaking functionality.

Share

EUVD-2026-35645 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy