CVE-2026-45465: SharePoint Cross-Site Scripting (XSS) Vulnerability—Risk Assessment & Patch Guidance
CVE-2026-45465 is a cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint that allows an attacker to inject malicious code into web pages generated by the application. When a user visits a compromised page, the injected script executes in their browser, potentially stealing session tokens, credentials, or performing actions on behalf of the victim. The vulnerability requires user interaction—someone must click a malicious link or visit a booby-trapped SharePoint page—but no special privileges are needed to launch the attack. This is a spoofing risk, meaning attackers could impersonate legitimate SharePoint content or trusted users.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-09
NVD description (verbatim)
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This stored or reflected XSS flaw (CWE-79) stems from improper input validation and output encoding in SharePoint's web page generation pipeline. An attacker can craft a specially formed request containing script payloads that bypass sanitization filters. When SharePoint renders the page without properly neutralizing the input, the script executes with the privileges of the authenticated user's session. The CVSS 3.1 score of 5.4 reflects network-based attack vectors, low attack complexity, no authentication requirement, and moderate confidentiality and integrity impacts without availability loss. The user interaction requirement (UI:R) significantly constrains the threat model compared to more severe XSS vulnerabilities.
Business impact
SharePoint deployments are often central repositories for sensitive business documents, project plans, and internal communications. An XSS vulnerability could allow attackers to harvest user credentials, intercept document access, or redirect users to phishing sites masquerading as SharePoint. In regulated environments (healthcare, finance, government), this could trigger compliance incidents. The spoofing aspect is particularly concerning because legitimate-looking content or messages could drive users to disclose confidential information or click malicious external links, eroding trust in the collaboration platform.
Affected systems
The vulnerability affects Microsoft SharePoint Server installations. Organizations running SharePoint Server on-premises or in hybrid deployments are in scope. The exact affected versions are not specified in the available intelligence; verify the complete list and build numbers against Microsoft's official security advisory to determine which deployments require immediate attention.
Exploitability
Exploitability is moderate but feasible in real-world scenarios. An attacker must craft a malicious URL or inject content into a SharePoint page that a legitimate user will visit. This could be accomplished through phishing emails directing users to booby-trapped team sites, compromised document links, or social engineering. No special tools or deep SharePoint knowledge are required once the XSS payload is identified. The requirement for user interaction (clicking a link, viewing a page) reduces drive-by attack potential but does not eliminate risk given SharePoint's ubiquity in enterprise environments.
Remediation
Apply security updates from Microsoft addressing CVE-2026-45465. Verify the specific patch versions and KB articles in Microsoft's security advisory. Until patching is possible, implement network controls to restrict SharePoint access to trusted networks, enforce modern authentication protocols, and monitor for suspicious script injection attempts in SharePoint logs. Organizations should also review Content Security Policy (CSP) headers and input validation rules within custom SharePoint applications or web parts.
Patch guidance
Consult Microsoft's security advisory for CVE-2026-45465 to identify the affected SharePoint Server versions and corresponding cumulative updates or security patches. Test patches in a non-production environment before broad rollout, as SharePoint updates can affect customizations and integrated applications. Prioritize systems where external users access SharePoint or where sensitive data is stored. Document patch deployment timelines and communicate expected downtime to stakeholders.
Detection guidance
Monitor SharePoint ULS (Unified Logging Service) logs and IIS logs for unusual script patterns in URLs and form submissions, such as <script>, javascript:, onerror=, and onclick= payloads. Watch for failed input validation events and unexpected content modifications in site pages. Network-level detection should flag requests containing encoded or obfuscated script payloads targeting SharePoint endpoints. Implement Web Application Firewall (WAF) rules to block common XSS patterns before they reach SharePoint. Review user access logs for anomalous actions following suspicious page visits.
Why prioritize this
Although this is a MEDIUM severity vulnerability (CVSS 5.4) with no known exploitation at scale (not on the CISA KEV catalog), SharePoint's centrality in enterprise collaboration and data storage elevates practical risk. The spoofing angle and credential theft potential warrant urgent attention in organizations handling sensitive information. Early patching prevents attackers from establishing a beachhead for document exfiltration or lateral movement. The user-interaction requirement means security awareness campaigns can complement technical controls.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) balances multiple factors: network-based attack surface (AV:N) and low attack complexity (AC:L) increase severity, but the requirement for user interaction (UI:R) and absence of authentication requirement lower it. Confidentiality (C:L) and integrity (I:L) impacts reflect the ability to steal or spoof information, while no availability impact (A:N) rules out denial-of-service outcomes. In practical terms, this is a meaningful but not critical vulnerability—it requires both attacker craft and user cooperation but poses real data and trust risks if left unpatched in a populated SharePoint environment.
Frequently asked questions
Could an attacker exploit this without user interaction?
No. The vulnerability requires a user to visit a malicious link or page. An attacker cannot force exploitation through the network alone; they must deceive or trick a user into clicking or navigating to the vulnerable endpoint.
Does this vulnerability allow remote code execution on the server?
No. This is a client-side XSS vulnerability affecting the user's browser session, not the SharePoint server itself. However, the compromised session can be leveraged to perform unauthorized actions (document access, credential theft) on behalf of that user.
Are older versions of SharePoint still vulnerable?
Likely, but the specific affected versions are not detailed in the available intelligence. Consult Microsoft's official advisory to determine which SharePoint versions require patching. Immediate action is recommended for all versions until confirmed safe by the vendor.
What's the difference between stored and reflected XSS in this context?
Both variants are possible in SharePoint. Stored XSS persists in site pages or document metadata, affecting all users who view that page. Reflected XSS typically travels in a URL and executes only for the user who clicks the link. Either form can steal credentials or perform spoofing attacks.
This analysis is based on publicly available information as of the publication date. Verify all patch versions, affected products, and remediation steps against Microsoft's official security advisories before implementation. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor information. Always test security updates in controlled environments before production deployment. This document is for informational purposes and does not constitute professional security advice; consult your organization's security team and relevant vendors for guidance specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11150MEDIUMChrome XML UXSS Vulnerability – Patch Guide
- CVE-2026-11166MEDIUMChrome SVG Injection Vulnerability – 6.8 CVSS Medium Severity
- CVE-2026-11186MEDIUMChrome UXSS Vulnerability in CSS Rendering—Urgent Patch Required
- CVE-2026-11273MEDIUMGoogle Chrome Omnibox Script Injection Vulnerability (UXSS) – Patch 149.0.7827.53
- CVE-2026-33113MEDIUMMicrosoft SharePoint Cross-Site Scripting (XSS) Vulnerability Analysis
- CVE-2026-45453MEDIUMMicrosoft SharePoint Cross-Site Scripting (XSS) Vulnerability
- CVE-2026-45462MEDIUMSharePoint XSS Vulnerability – Spoofing Risk & Patch Guidance
- CVE-2026-45464MEDIUMSharePoint XSS Vulnerability – Spoofing Risk & Patching Guide