CVE-2026-45453: Microsoft SharePoint Cross-Site Scripting (XSS) Vulnerability
CVE-2026-45453 is a cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint that allows attackers to inject malicious scripts into web pages. When a user visits a compromised page, the attacker's script executes in their browser, enabling spoofing attacks—such as stealing credentials, impersonating legitimate content, or redirecting users to phishing sites. The vulnerability requires user interaction (clicking a malicious link or visiting a crafted URL) but does not require authentication to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a reflected or stored XSS flaw (CWE-79) stemming from inadequate input sanitization during web page generation in SharePoint. The vulnerability allows an unauthenticated attacker to inject arbitrary HTML and JavaScript that executes in the victim's browser context with user-level permissions. The CVSS 3.1 score of 5.4 reflects network-based attack vector, low attack complexity, no privilege requirement, and user interaction—resulting in low confidentiality and integrity impact but no availability impact. The attack surface is limited to users actively interacting with SharePoint web interfaces.
Business impact
SharePoint administrators and organizations relying on SharePoint for collaboration must assume that users could be socially engineered into clicking malicious links that exfiltrate session tokens, credentials, or sensitive document metadata. Attackers could impersonate trusted SharePoint administrators or colleagues, potentially disrupting team workflows and eroding trust in internal collaboration platforms. The reputational risk includes potential disclosure of confidential information through spoofed communications appearing to originate from SharePoint accounts.
Affected systems
Microsoft SharePoint Server is affected. The vendor product listing indicates multiple SharePoint Server instances; verify exact version applicability and cumulative update status in the official Microsoft security advisory and your deployment documentation.
Exploitability
This vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been publicly reported or confirmed at the time of publication. However, XSS flaws are among the most frequently exploited web application vulnerabilities, and the low attack complexity combined with the user-interaction requirement makes this a natural target for phishing and social engineering campaigns. No weaponized proof-of-concept code is known to be widely available.
Remediation
Apply security updates from Microsoft as soon as they become available. Prioritize patching internet-facing or externally-accessible SharePoint instances. Implement web application firewalls (WAF) rules to detect and block common XSS payloads. Enforce Content Security Policy (CSP) headers on SharePoint sites to limit script execution. Educate users to avoid clicking unfamiliar links and to verify sender legitimacy before interacting with sensitive SharePoint content.
Patch guidance
Check the Microsoft Security Update Guide and relevant SharePoint Server cumulative update releases published after the vulnerability's modification date (July 9, 2026). Apply patches in a staged manner—test in non-production environments first, then deploy to production during scheduled maintenance windows. Verify patch applicability to your specific SharePoint version and build number before deployment. Monitor SharePoint logs post-patch for any related incident activity.
Detection guidance
Look for HTTP requests containing script tags, JavaScript event handlers (onclick, onerror, onload), or URL-encoded payloads in SharePoint query parameters and form submissions. Monitor for unusual spikes in 4xx or 5xx errors that may indicate WAF rule triggers or failed injection attempts. Enable SharePoint audit logging to track access to sensitive lists and document libraries. Use network-based intrusion detection signatures targeting reflected XSS patterns. Correlate user login times with suspicious file accesses or outbound connections initiated from compromised sessions.
Why prioritize this
Although the CVSS score is medium (5.4), organizations should prioritize this vulnerability because XSS in collaboration platforms has outsized business impact: attackers can impersonate internal users, harvest credentials through spoofing, and gain persistent access to sensitive collaborative content. The lack of KEV listing does not indicate low risk—it reflects a lag in active exploitation reporting. SharePoint's role as a central repository for organizational IP makes it a high-value target. Patching should begin immediately after testing, particularly for externally-accessible instances.
Risk score, explained
The CVSS 3.1 score of 5.4 (Medium) reflects: (1) network attack vector—exploitable remotely without special network conditions; (2) low attack complexity—no special setup required; (3) no privilege requirement—unauthenticated users can trigger the flaw; (4) user interaction required—victims must click or visit a malicious link; (5) impact limited to confidentiality and integrity (low), with no availability impact. The score does not account for business context—financial data exposure, reputational harm, or the strategic value of SharePoint in your organization—so adjust risk prioritization upward if your deployment hosts sensitive information or is customer-facing.
Frequently asked questions
What is the difference between reflected and stored XSS, and which does this vulnerability represent?
Reflected XSS occurs when a malicious script is injected via a URL parameter and executed immediately in the victim's browser without being stored in the application. Stored XSS persists in the database and affects all users who view the compromised content. The vulnerability description does not specify which variant applies to SharePoint. Review the Microsoft advisory to determine whether the flaw is in URL parameter handling (reflected) or in document/list item content processing (stored). Stored variants are more dangerous because they do not require social engineering of each victim.
If I restrict SharePoint access to internal networks only, am I protected from this vulnerability?
Network segmentation reduces exposure but does not eliminate risk. Insider threats, compromised internal machines, and VPN-connected remote workers can still exploit this flaw. Additionally, if any external-facing SharePoint instances exist (e.g., for partner collaboration), they remain vulnerable. Patching is essential regardless of network topology.
Do I need to patch all versions of SharePoint, or only the latest?
Patch all supported versions running in your environment. Microsoft typically provides security updates for current and one previous major version under mainstream support, plus extended security updates (ESU) for older versions. Consult the Microsoft support lifecycle policy and your security update portal to confirm which versions you operate and which patches apply.
How can I test whether my SharePoint instance is vulnerable without waiting for a patch?
Consult the Microsoft advisory for proof-of-concept or reproduction steps (do not create or run weaponized exploit code). Alternatively, engage a qualified security partner to perform safe, controlled testing in an isolated lab environment. Do not test against production systems. Your WAF and input validation controls can be audited for XSS resilience using industry-standard payloads, but only with explicit approval and proper isolation.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. CVSS scores, vendor advisories, and patch availability are subject to change. Always consult official Microsoft security advisories and your vendor documentation before making patching decisions. Security risk is contextual to your organization's environment, data classification, and threat model; adjust prioritization accordingly. This explainer does not constitute security advice or a substitute for professional risk assessment. No exploit code or weaponized proof-of-concept details are included. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11150MEDIUMChrome XML UXSS Vulnerability – Patch Guide
- CVE-2026-11166MEDIUMChrome SVG Injection Vulnerability – 6.8 CVSS Medium Severity
- CVE-2026-11186MEDIUMChrome UXSS Vulnerability in CSS Rendering—Urgent Patch Required
- CVE-2026-11273MEDIUMGoogle Chrome Omnibox Script Injection Vulnerability (UXSS) – Patch 149.0.7827.53
- CVE-2026-33113MEDIUMMicrosoft SharePoint Cross-Site Scripting (XSS) Vulnerability Analysis
- CVE-2026-45462MEDIUMSharePoint XSS Vulnerability – Spoofing Risk & Patch Guidance
- CVE-2026-45464MEDIUMSharePoint XSS Vulnerability – Spoofing Risk & Patching Guide
- CVE-2026-45465MEDIUMSharePoint Cross-Site Scripting (XSS) Vulnerability—Risk Assessment & Patch Guidance