CVE-2026-33113: Microsoft SharePoint Cross-Site Scripting (XSS) Vulnerability Analysis
Microsoft Office SharePoint contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages. When a user visits a compromised SharePoint page, the injected code executes in their browser, potentially allowing the attacker to steal session tokens, redirect users to phishing sites, or perform actions on behalf of the victim. This is a reflected or stored XSS flaw—the vulnerability itself requires user interaction to trigger, but the impact can be significant for organizations relying on SharePoint for document collaboration and intranet services.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-33113 is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability affecting Microsoft SharePoint Server. The flaw permits an unauthenticated attacker to inject arbitrary HTML and JavaScript into SharePoint pages via network-based attack. The CVSS 3.1 score of 5.4 (Medium) reflects network accessibility (AV:N), low attack complexity (AC:L), no authentication requirement (PR:N), but mandates user interaction (UI:R). Impact is limited to confidentiality and integrity (C:L/I:L) with no availability degradation, and the scope remains unchanged (S:U). The vulnerability enables spoofing attacks by rendering malicious content within the trusted SharePoint application context.
Business impact
XSS vulnerabilities in SharePoint pose a serious risk to organizational security posture. Attackers can craft malicious links or documents that, when accessed by employees, compromise their sessions or credentials. Internally distributed phishing emails linking to weaponized SharePoint pages could harvest credentials at scale. For organizations using SharePoint as a central collaboration and knowledge-management platform, this can undermine user trust and create compliance complications around data handling. Remediation delays leave users exposed to credential theft, unauthorized access to sensitive documents, and lateral movement within the corporate network.
Affected systems
Microsoft SharePoint Server installations are affected by this vulnerability. The ground-truth data identifies SharePoint Server as the affected product line; verify the specific versions requiring patches against the official Microsoft advisory, as patch applicability varies by build and cumulative update level. Organizations running on-premises SharePoint deployments are in scope, as are those integrating SharePoint with hybrid or cloud environments. Verify your deployment topology and current build version to determine remediation urgency.
Exploitability
The vulnerability requires user interaction—a victim must visit or interact with a crafted page or link. This is not a pre-authentication remote code execution and does not warrant automatic execution. However, the attack vector is network-based and requires no authentication from the attacker, making it suitable for broad phishing campaigns targeting SharePoint users. The low attack complexity suggests no special conditions or tools are needed beyond crafting a malicious URL or document reference. Practical exploitation hinges on social engineering; the barrier to entry is low for attackers with basic web security knowledge.
Remediation
Patch your SharePoint Server installations according to Microsoft's official security advisory for CVE-2026-33113. Patches are typically released as cumulative updates or security-only rollups; apply the recommended version for your environment. In parallel, implement or reinforce input validation and output encoding at the application layer to sanitize user-supplied input and prevent script injection. Deploy web application firewalls (WAF) or URL filtering to block known malicious SharePoint links. Educate users on the risks of clicking suspicious links in collaboration tools, and enforce strong multi-factor authentication to mitigate credential compromise if XSS-based phishing occurs.
Patch guidance
Visit the Microsoft Security Update Guide and search for CVE-2026-33113 to identify the specific cumulative update or security patch applicable to your SharePoint Server version and environment. Microsoft typically releases patches on Patch Tuesday (second Tuesday of each month). Download and stage patches in a non-production environment first, then schedule a controlled rollout during a maintenance window. Test all critical SharePoint workflows, integrations, and third-party applications after patching to ensure compatibility. Prioritize patching systems exposed to untrusted users or with high user traffic.
Detection guidance
Monitor SharePoint access logs and IIS logs for suspicious URL patterns, encoded script tags, or repeated failed authentication attempts followed by successful access from anomalous IP addresses. Deploy endpoint detection and response (EDR) tools to identify malicious script execution on user workstations after accessing SharePoint. Web application firewalls should be tuned to detect common XSS payloads in query strings and POST data targeting SharePoint endpoints. Security information and event management (SIEM) can correlate SharePoint access logs with outbound network traffic to phishing or data exfiltration sites. Implement content security policy (CSP) headers on SharePoint to restrict script execution to trusted sources.
Why prioritize this
Although the CVSS score is Medium (5.4) and not critical, this vulnerability merits prompt attention due to its network accessibility, lack of authentication barriers for attackers, and prevalence of SharePoint in enterprise environments. XSS in collaboration tools is a high-value target for initial access campaigns and credential harvesting. The requirement for user interaction is a limiting factor, but persistent phishing campaigns can overcome this barrier. Organizations with high-risk user populations (executives, finance, HR) or sensitive data repositories on SharePoint should treat this as a near-term patch priority.
Risk score, explained
The CVSS 3.1 score of 5.4 reflects a Medium severity rating driven by network accessibility and user interaction requirement. The lack of authentication (PR:N) and low complexity (AC:L) increase the threat surface; however, limited scope (S:U), low confidentiality impact (C:L), low integrity impact (I:L), and no availability impact (A:N) prevent a higher score. In real-world contexts, the actual risk may be elevated for organizations with sensitive data on SharePoint or high-volume external collaboration; conversely, internal-only deployments with strong access controls face lower practical risk.
Frequently asked questions
Does this vulnerability allow remote code execution (RCE)?
No. CVE-2026-33113 is an XSS vulnerability, not RCE. Attackers can inject and execute client-side scripts in the victim's browser, allowing session hijacking, credential theft, and phishing, but not direct command execution on the server or network. RCE would require a separate vulnerability or privilege escalation.
Do I need to patch if my SharePoint is internal and behind a firewall?
Yes, you should still patch. While internal deployment reduces the attack surface, phishing campaigns targeting employees can deliver malicious SharePoint links that exploit XSS once a user is authenticated. Additionally, insider threats and compromised user accounts can still trigger the vulnerability.
What is the difference between this vulnerability and typical phishing?
Phishing typically tricks users into visiting an attacker-controlled site. This XSS vulnerability allows attackers to inject malicious code into a legitimate SharePoint page, making the attack appear to come from a trusted source. This increases success rates for credential harvesting and social engineering.
Is there a known exploit or proof-of-concept?
The ground-truth data indicates this vulnerability is not on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no publicly disclosed active exploitation at the time of publication. However, absence from the KEV list does not guarantee exploits do not exist; patch promptly regardless.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. The details, patch status, and remediation guidance should be verified against the official Microsoft Security Update Guide and vendor advisories before implementation. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Organizations are responsible for assessing their own risk posture and applying patches according to their change management and security policies. Always test patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11150MEDIUMChrome XML UXSS Vulnerability – Patch Guide
- CVE-2026-11166MEDIUMChrome SVG Injection Vulnerability – 6.8 CVSS Medium Severity
- CVE-2026-11186MEDIUMChrome UXSS Vulnerability in CSS Rendering—Urgent Patch Required
- CVE-2026-11273MEDIUMGoogle Chrome Omnibox Script Injection Vulnerability (UXSS) – Patch 149.0.7827.53
- CVE-2026-41098HIGHAzure Stack Edge XSS Vulnerability (CVSS 8.4) – High-Severity Admin Interface Spoofing
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise