Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Network-reachable stored XSS needing an authenticated low-priv account (PR:L) and victim viewing (UI:R); script escapes into the victim's trusted origin (S:C) with high C/I and no availability impact.
Primary rating from Vendor (microsoft).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionNVD
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
AnalysisAI
Spoofing via stored cross-site scripting in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) allows an authenticated attacker to inject script that executes in another user's browser session across a network. CVSS is 8.7 with a scope change, reflecting that injected content escapes into the victim's authenticated context; there is no public exploit identified at time of analysis and CISA SSVC rates exploitation status as none. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold an authenticated SharePoint account with at least contribute/edit rights sufficient to store content (PR:L), and it requires a victim user to interact by viewing the attacker-injected content (UI:R) - the attack is not self-triggering or automatable per CISA SSVC. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and point to a real but not emergency-grade priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid low-privilege SharePoint account crafts a list item, page, or web part containing malicious script and stores it where other users will view it. When a higher-privileged user opens that content, the script executes in their authenticated SharePoint session, letting the attacker spoof trusted UI or exfiltrate/act on data within the victim's context. … |
| Remediation | Apply the Microsoft security update referenced in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55021), upgrading to the fixed builds: SharePoint Enterprise Server 2016 to 16.0.5561.1001 or later, SharePoint Server 2019 to 16.0.10417.20175 or later, and SharePoint Server Subscription Edition to 16.0.19725.20434 or later (Vendor-released patch confirmed available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Microsoft SharePoint deployments (Enterprise Server 2016, Server 2019, and Subscription Edition instances) and confirm current versions; restrict administrative and elevated-privilege access to SharePoint pending patch deployment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) all
Privilege elevation in Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, and Subscription Edition) lets
Authenticated remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Editi
Remote code execution in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) lets an unauthenticated atta
Security feature bypass in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) l
Privilege elevation in Microsoft SharePoint Server (Enterprise Server 2016 and Server 2019) allows an authenticated netw
Privilege escalation in Microsoft SharePoint Server (Enterprise Server 2016, Server 2019, and Subscription Edition) lets
Cross-site scripting (CWE-79) in on-premises Microsoft SharePoint Server allows an authenticated, low-privileged attacke
Local code execution in Microsoft Word (and Office/SharePoint components that render Word content) stems from an integer
Arbitrary code execution in Microsoft Office Word (and the broader Office/365/SharePoint family) arises from a stack-bas
Local code execution in Microsoft Word (part of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for M
Local code execution in Microsoft Word (and the wider Microsoft Office / Microsoft 365 Apps family) lets an unauthorized
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44166
GHSA-c9qw-72v3-rp2r