CVE-2026-45464: SharePoint XSS Vulnerability – Spoofing Risk & Patching Guide
CVE-2026-45464 is a cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint that allows attackers to inject malicious scripts into web pages. An attacker can trick users into visiting a crafted SharePoint page, causing their browser to execute the injected code. This enables spoofing attacks where legitimate content or UI elements can be forged to deceive users into divulging credentials, transferring funds, or trusting false information. The vulnerability requires user interaction—a person must click a malicious link or visit a compromised page—but the attacker does not need authentication to craft the attack.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper input sanitization during web page generation in SharePoint (CWE-79). When SharePoint processes user-supplied input to build web pages, it fails to neutralize characters and constructs that have special meaning in HTML and JavaScript contexts. An unauthenticated attacker can craft a URL containing malicious JavaScript payloads that, when rendered in a victim's browser, execute within the security context of the SharePoint domain. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) reflects network-based delivery, low attack complexity, no privileges required, but mandatory user interaction. Confidentiality and integrity are impacted; availability is not affected.
Business impact
This vulnerability poses a moderate but meaningful risk to organizations relying on SharePoint for collaboration and document management. Attackers can perform credential harvesting by injecting fake login prompts, redirect users to phishing sites masquerading as SharePoint, or modify displayed content to conduct social engineering campaigns. In regulated environments, unauthorized modification of document metadata or falsification of audit trails through JavaScript injection could create compliance issues. The spoofing vector is particularly dangerous in organizations where users trust SharePoint links shared internally, as attackers can exploit that trust via email or external communication channels. Data exfiltration and direct system compromise are unlikely, but reputational damage and user trust erosion are concrete risks.
Affected systems
Microsoft SharePoint Server is affected. The vulnerability impacts SharePoint deployments across both on-premises and hybrid configurations. End users accessing SharePoint via web browsers—particularly those using older browsers or without modern security controls—are at primary risk. Organizations with high numbers of external or guest SharePoint users face elevated exposure, as these users may be less familiar with organizational security practices and more susceptible to spoofing attacks.
Exploitability
Exploitation is practical but not effortless. An attacker must craft a malicious URL containing XSS payload and persuade a user to click it—typically via email, messaging, or social engineering. The attack cannot be weaponized as a worm or delivered without human intervention. No CVSS score boost for 'actively exploited in the wild' (KEV status is false), indicating this is not yet a known-exploited vulnerability in public disclosure databases as of the modification date. However, XSS vulnerabilities in widely-used collaboration platforms are attractive targets, and exploitation tooling is straightforward to develop.
Remediation
Apply security updates from Microsoft targeting this vulnerability in SharePoint Server. Verify patch version numbers and applicability against your specific SharePoint deployment (on-premises, cloud, or hybrid) via the official Microsoft security advisory. No workaround mitigates the underlying flaw, so patching is mandatory. In parallel, implement browser-based protections: enforce Content Security Policy (CSP) headers to restrict inline script execution, enable X-XSS-Protection headers, and educate users to verify URL legitimacy before clicking SharePoint links.
Patch guidance
Consult the Microsoft Security Updates portal and official SharePoint security advisories for patch release dates and version numbers specific to your SharePoint Server edition and patch level. Apply patches during a scheduled maintenance window to avoid service disruption. Test patches in a non-production SharePoint environment first to confirm compatibility with custom extensions or third-party integrations. After patching, validate that XSS injection attempts are properly neutralized by attempting to inject simple payloads into SharePoint fields and verifying they render as text rather than executable code.
Detection guidance
Monitor SharePoint access logs and web proxy logs for suspicious URL patterns indicative of XSS payloads—look for encoded JavaScript keywords (e.g., '%3cscript%3e', 'alert(', 'document.location'). Configure SharePoint audit logging to capture modifications to page content and metadata. Implement Web Application Firewall (WAF) rules to block requests containing known XSS signatures in query parameters and POST bodies. Use browser-level telemetry if available to detect execution of unexpected scripts within the SharePoint domain. User awareness training should emphasize verification of SharePoint link sources before clicking.
Why prioritize this
This vulnerability merits prompt but not emergency remediation. The CVSS score of 5.4 (MEDIUM) and user interaction requirement prevent it from rising to CRITICAL status. However, SharePoint's ubiquity in enterprise environments, the accessibility of XSS exploitation, and the social engineering attack vector justify prioritizing it above lower-risk issues. Organizations with high-value or sensitive documents, stringent compliance requirements, or frequent external user access should prioritize patching within 30–60 days. Others can incorporate it into standard monthly patch cycles.
Risk score, explained
The CVSS 3.1 score of 5.4 reflects a network-accessible vulnerability requiring no authentication but with mandatory user interaction and limited impact scope. Integrity and confidentiality are both degraded (each rated Low), but the attack does not compromise system availability or require privilege escalation. The score appropriately penalizes the user-interaction requirement while acknowledging that XSS in a collaboration platform accessible over the internet creates a meaningful real-world risk. The absence of KEV (known exploited vulnerability) status moderates the score but should not lead to complacency given the ease of developing XSS exploits.
Frequently asked questions
Can this vulnerability be exploited by someone inside our organization with SharePoint access?
Technically, any authenticated SharePoint user could attempt to inject XSS via document properties, comments, or custom fields. However, the CVE describes exploitation by an unauthorized attacker, implying the primary vector is via unauthenticated web access. Malicious insiders are a separate access-control risk; defend against them using least-privilege SharePoint permissions and audit logging.
If we disable scripting in our browsers, are we protected?
Disabling JavaScript would prevent XSS payload execution, but it would also break most modern SharePoint functionality. A better approach is to educate users not to click untrusted links, configure your SharePoint Content Security Policy headers, and apply the security patch. Browser privacy/security extensions that block inline scripts offer a middle ground.
Does this vulnerability affect SharePoint Online (Office 365 Cloud)?
The vulnerability is documented against Microsoft SharePoint Server (on-premises). SharePoint Online may or may not be affected depending on whether it shares the vulnerable code path. Consult the Microsoft advisory to confirm whether your specific SharePoint deployment version is in scope. Microsoft typically patches cloud services proactively, but verify status via your Office 365 admin portal or contact Microsoft support.
What's the difference between this XSS and other SharePoint vulnerabilities?
All XSS vulnerabilities allow script injection, but their impact varies by context. This CVE enables spoofing specifically, meaning attackers can impersonate legitimate SharePoint content or UI elements. Other XSS flaws might enable session hijacking, data theft, or malware delivery. The spoofing angle here suggests a focus on social engineering rather than passive data exfiltration, which influences both detection strategy and user training focus.
This analysis is for informational purposes and does not constitute legal, compliance, or professional security advice. Patch version numbers and affected product details must be verified against official Microsoft security advisories before deployment. Organizations should assess their specific SharePoint configuration and risk posture independently. SEC.co makes no warranty regarding the accuracy or completeness of vulnerability data and recommends consulting vendor advisories and working with qualified security professionals for remediation planning. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11150MEDIUMChrome XML UXSS Vulnerability – Patch Guide
- CVE-2026-11166MEDIUMChrome SVG Injection Vulnerability – 6.8 CVSS Medium Severity
- CVE-2026-11186MEDIUMChrome UXSS Vulnerability in CSS Rendering—Urgent Patch Required
- CVE-2026-11273MEDIUMGoogle Chrome Omnibox Script Injection Vulnerability (UXSS) – Patch 149.0.7827.53
- CVE-2026-33113MEDIUMMicrosoft SharePoint Cross-Site Scripting (XSS) Vulnerability Analysis
- CVE-2026-45453MEDIUMMicrosoft SharePoint Cross-Site Scripting (XSS) Vulnerability
- CVE-2026-45462MEDIUMSharePoint XSS Vulnerability – Spoofing Risk & Patch Guidance
- CVE-2026-45465MEDIUMSharePoint Cross-Site Scripting (XSS) Vulnerability—Risk Assessment & Patch Guidance