MEDIUM 4.6

CVE-2026-45467: SharePoint XSS Vulnerability – CVSS 4.6 Analysis & Patch Guidance

CVE-2026-45467 is a cross-site scripting (XSS) vulnerability in Microsoft SharePoint that allows an authenticated user to inject malicious scripts into web pages. When another user views the compromised page, the script executes in their browser, potentially allowing the attacker to steal credentials, manipulate content they see, or impersonate the attacker. The vulnerability requires an authorized SharePoint user to set it up and a victim to click or view the malicious content, limiting its reach but making it effective in insider threat scenarios.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.6 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
3 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This is a CWE-79 improper input neutralization vulnerability affecting Microsoft SharePoint Server. The flaw exists in the web page generation mechanism, where user-supplied input is not properly sanitized before being rendered in the HTML response. An authenticated attacker can inject JavaScript that executes in the context of another user's session. The attack vector is network-based with low complexity, but requires both low privilege (authenticated user) and user interaction (victim must visit the crafted page). The impact is limited to confidentiality and integrity of the affected user's session, with no availability impact.

Business impact

For organizations relying on SharePoint as an intranet or collaboration platform, this vulnerability creates insider threat risk. Attackers with valid SharePoint accounts—such as contractors, former employees with lingering access, or compromised internal accounts—can craft pages that harvest credentials or redirect users to phishing sites. Since SharePoint often hosts sensitive documents and project information, a successful attack could lead to unauthorized data access or business email compromise if integrated with Office 365. The requirement for user interaction means phishing or social engineering campaigns are likely prerequisites to widespread exploitation.

Affected systems

Microsoft SharePoint Server is affected by this vulnerability. The source data lists 'microsoft sharepoint_server' three times, indicating multiple versions or instances are impacted. Organizations should consult the official Microsoft advisory to determine which specific versions (2019, 2016, etc.) and patch levels are vulnerable. On-premises and potentially hybrid deployments should be assessed for exposure.

Exploitability

While the CVSS score of 4.6 (MEDIUM) reflects moderate severity, the practical exploitability is constrained by two factors: the attacker must be an authenticated user (not an external threat), and the victim must interact with the malicious content. This is not a trivial barrier in a large organization where many users have SharePoint access, nor is it particularly difficult given the prevalence of social engineering. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting limited evidence of active exploitation in the wild as of the last update, but this does not guarantee future safety.

Remediation

Apply the security patches provided by Microsoft for affected SharePoint Server versions. The priority is moderate given the CVSS score and the requirement for user interaction, but organizations with sensitive data, high-value users, or trusted-but-risky user populations should patch sooner. Review SharePoint permissions and consider whether all user accounts truly need authoring or page creation privileges. Implement web application firewalls (WAF) and content security policies (CSP) to reduce XSS attack surface if patching is delayed.

Patch guidance

Obtain and apply the latest cumulative updates or security patches from Microsoft for your SharePoint Server version. Verify the patch version numbers and release dates against the official Microsoft security advisory before deployment. Test patches in a non-production environment to ensure compatibility with custom solutions and third-party integrations. Plan deployment during a maintenance window to minimize service disruption, and ensure rollback procedures are in place.

Detection guidance

Monitor SharePoint logs for unusual page modifications or content creation by users who do not typically author pages. Search web server logs for suspicious script tags or encoded payloads in query strings or POST bodies. Deploy a WAF with XSS detection rules to identify script injection attempts before they reach SharePoint. Endpoint Detection and Response (EDR) tools can flag unusual JavaScript execution in the context of SharePoint (such as credential access or command execution). User awareness training should emphasize not clicking suspicious internal links or downloading files from untrusted SharePoint pages.

Why prioritize this

This vulnerability merits prompt attention for organizations with sensitive SharePoint deployments, but is not a critical emergency. The MEDIUM severity reflects the combination of authenticated access requirement and user interaction necessity. It should be prioritized above cosmetic or low-risk issues, but below critical remote code execution flaws. Organizations with high volumes of contract workers or external collaborators in SharePoint should prioritize higher. The absence of KEV listing suggests exploit development has not yet become a commodity, allowing some breathing room for testing and staged deployment.

Risk score, explained

The CVSS 3.1 score of 4.6 combines network-based attack surface (AV:N), low attack complexity (AC:L), low privileges required (PR:L), and necessary user interaction (UI:R). These factors yield a MEDIUM severity. The impact is limited to confidentiality and integrity loss in the victim's session, with no system availability impact (A:N). The scope remains unchanged (S:U). This score accurately reflects a real but bounded threat—not a trivial vulnerability, but not a widespread worm-level crisis either.

Frequently asked questions

Can this vulnerability be exploited without a valid SharePoint user account?

No. The vulnerability requires 'Low Privilege' authenticated access according to the CVSS vector. An attacker must have a valid SharePoint account. This significantly reduces the attack surface compared to unauthenticated exploits, but insider threats and compromised accounts remain valid risks.

What happens if a user is tricked into visiting a malicious SharePoint page?

The injected JavaScript executes in the victim's browser within the context of their SharePoint session. Depending on the attacker's payload, they could steal session cookies, capture form input, redirect to phishing sites, or modify page content. The attacker cannot directly access files on the user's computer or the server unless additional vulnerabilities or misconfigurations exist.

Is this vulnerability actively being exploited?

As of the last CISA update, CVE-2026-45467 has not been added to the Known Exploited Vulnerabilities catalog, suggesting limited or no confirmed exploitation in the wild. However, the absence of public exploit code does not mean the vulnerability is secure—determined attackers may exploit it without disclosure.

Should we prioritize patching this over other vulnerabilities?

Yes, it should be prioritized in your normal patch cycle given the MEDIUM severity and direct business process impact. However, if you have active critical or high-severity vulnerabilities outstanding, address those first. A reasonable approach is to include this in the next monthly or quarterly patch window for SharePoint, with accelerated testing if your organization uses SharePoint for highly sensitive workflows.

This analysis is provided for informational purposes and reflects the state of public vulnerability data as of the modification date (2026-06-17). Specific affected versions, patch availability, and remediation timelines should be verified against the official Microsoft security advisory and your own environment. SEC.co makes no warranty regarding the completeness or timeliness of this information. Always consult your organization's security team and vendor guidance before implementing patches or workarounds. This vulnerability analysis does not constitute legal advice or a guarantee of security. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).