Skip to main content

Microsoft SharePoint EUVDEUVD-2026-35651

| CVE-2026-45479 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 secure@microsoft.com GHSA-8vm2-c62x-276c
4.6
CVSS 3.1 · NVD
Temporal: 4.0
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
4.0 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 19:44 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 4.6

DescriptionNVD

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

AnalysisAI

Cross-site scripting in Microsoft SharePoint allows an authenticated network attacker to perform spoofing attacks by injecting malicious script into web page content. Affected products include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition across all builds below their respective patched versions. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; the CVSS score of 4.6 reflects the mandatory user interaction and constrained confidentiality/integrity impact.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) describes the root cause: user-supplied input is embedded into generated HTML responses without sufficient sanitization or encoding, enabling script injection. SharePoint is Microsoft's enterprise collaboration and document management platform built on ASP.NET; it renders rich web content from user contributions such as list items, page web parts, and site pages, making it a historically recurring target for stored or reflected XSS. The CVSS vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N indicates the injection is reachable over the network with low-complexity exploitation, but requires the victim to interact with attacker-influenced content and the attacker to hold at minimum a low-privilege SharePoint account. Affected CPE-equivalent products confirmed by EUVD: Microsoft SharePoint Enterprise Server 2016 (build < 16.0.5556.1005), SharePoint Server 2019 (build < 16.0.10417.20153), and SharePoint Server Subscription Edition (build < 16.0.19725.20384).

RemediationAI

Vendor-released patches are available for all three affected product lines. Upgrade Microsoft SharePoint Enterprise Server 2016 to build 16.0.5556.1005 or later, SharePoint Server 2019 to build 16.0.10417.20153 or later, and SharePoint Server Subscription Edition to build 16.0.19725.20384 or later. Apply updates via the Microsoft Update Catalog or WSUS following standard SharePoint patching procedures; note that SharePoint cumulative updates require installation on all servers in the farm and a PSConfig/Products Configuration Wizard run afterward, which entails a maintenance window and brief service interruption. The official advisory is at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45479. If immediate patching is not feasible, compensating controls include restricting SharePoint contribution rights to fully trusted internal accounts only (removing anonymous and external-user access), enabling SharePoint's built-in HTML field security to strip script tags from rich-text fields, and deploying a web application firewall rule to detect and block reflected XSS payloads in SharePoint HTTP responses - note that WAF rules cannot reliably block stored XSS variants and carry a risk of false positives on legitimate rich content.

Share

EUVD-2026-35651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy