MEDIUM 4.6

CVE-2026-45479: SharePoint XSS Vulnerability – Authentication Required, Spoofing Risk

CVE-2026-45479 is a cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint that allows an authenticated attacker to inject malicious code into web pages. When a user views the compromised page, the attacker can steal session credentials, redirect users to phishing sites, or perform actions on behalf of the victim. The attack requires both valid SharePoint credentials and user interaction (clicking a malicious link or visiting a crafted page), which moderates its overall risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.6 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
3 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability stems from improper input sanitization during web page generation in SharePoint (CWE-79). An authenticated attacker can inject unsanitized input into SharePoint pages, causing malicious JavaScript to execute in the context of other users' browsers. The CVSS 3.1 score of 4.6 reflects the network-exploitable nature, low attack complexity, and requirement for prior authentication plus user interaction. The impact is limited to confidentiality and integrity of the affected user's session; availability is not compromised.

Business impact

SharePoint environments often host sensitive documents, project plans, and internal communications. A successful XSS attack could expose confidential information to unauthorized parties, damage trust in internal systems, or be used as a pivot point for social engineering within the organization. The spoofing capability means attackers can impersonate legitimate SharePoint content, potentially redirecting users to credential harvesting sites or malware distribution channels. Organizations with highly collaborative or public-facing SharePoint instances face elevated risk.

Affected systems

This vulnerability affects Microsoft SharePoint Server. Consult the official Microsoft security advisory for the complete list of affected versions and build numbers. Organizations should audit their SharePoint deployment architecture to identify which servers and site collections are internet-facing or accessible to external authenticated users, as these pose the greatest risk.

Exploitability

Exploitation requires an attacker to possess valid SharePoint credentials and to trick a user into viewing a malicious page or link. The attacker cannot force the victim to interact; user action is mandatory. This requirement significantly lowers the attack surface compared to unauthenticated XSS vulnerabilities. However, in environments where SharePoint guest access or federated authentication is enabled, or where credentials are compromised through other means, this barrier is substantially weakened. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities catalog.

Remediation

Apply the security update from Microsoft as soon as it becomes available for your affected SharePoint versions. Prioritize patching SharePoint servers that host sensitive content or are accessible to external authenticated users. As an interim mitigation, implement or strengthen Content Security Policy (CSP) headers to limit the scope of injected scripts, restrict guest access if not business-critical, and conduct security awareness training to reduce user susceptibility to phishing and social engineering tactics that leverage XSS payloads.

Patch guidance

Obtain the latest security update from the Microsoft Security Update Guide using the CVE identifier. Apply patches in a staged approach: first to non-production environments for compatibility testing, then to production during a scheduled maintenance window. Verify successful patching by checking installed SharePoint build numbers against the advisory. If your organization uses SharePoint Online (Microsoft 365), updates are applied automatically; verify the update status through your tenant settings. For on-premises deployments, use Windows Server Update Services (WSUS) or manual patch deployment depending on your infrastructure.

Detection guidance

Monitor SharePoint logs and IIS logs for unusual input patterns, HTML entities, or JavaScript keywords in query strings and POST body parameters. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads. Enable SharePoint audit logging to track document access and page modifications by authenticated users. Use endpoint detection and response (EDR) tools to identify suspicious browser activity following user navigation to SharePoint sites. Search for indicators such as script tags, event handlers, or encoded payloads in web traffic to or from SharePoint servers.

Why prioritize this

Although scored as MEDIUM severity, this vulnerability warrants prompt patching due to its ease of exploitation once an attacker has credentials, the widespread use of SharePoint in enterprise environments, and the potential for lateral movement or data exfiltration. The spoofing capability creates a social engineering vector that is often underestimated. Organizations should treat this with higher priority if they have internet-facing SharePoint or high user populations with access to sensitive collaboration spaces.

Risk score, explained

The CVSS 3.1 base score of 4.6 reflects network accessibility (AV:N), low attack complexity (AC:L), requirement for authenticated access (PR:L), and mandatory user interaction (UI:R). The impact is limited to low-level confidentiality and integrity compromise with no availability impact. This score appropriately captures the technical properties but should be supplemented by environmental risk assessment: organizations with externally shared SharePoint sites or sensitive intellectual property should apply a higher contextual risk rating.

Frequently asked questions

Do we need valid SharePoint credentials to exploit this vulnerability?

Yes. The attacker must authenticate to SharePoint before injecting the malicious payload. However, this does not mean the vulnerability is low-risk; stolen credentials, guest accounts, or federated identities can all serve as attack vectors.

What is the difference between this XSS and a stored XSS attack?

CVE-2026-45479 does not specify whether the XSS is stored (persisted in the database) or reflected (in the URL). In either case, the attacker must trick a user into viewing the malicious content. If stored, the payload persists and affects multiple users over time; if reflected, the attacker must distribute a crafted link. Both variants pose significant risk in SharePoint.

Will Microsoft 365 SharePoint Online users be automatically protected?

Yes. Microsoft 365 (cloud-hosted SharePoint Online) receives updates automatically. On-premises SharePoint Server customers must manually apply patches and should not assume they are protected until they have applied the vendor-supplied update.

Can we mitigate this without patching?

Partial mitigation is possible through Web Application Firewall rules, Content Security Policy headers, and access controls. However, these are not substitutes for the security update. Patching should be your primary remediation goal within a defined timeframe.

This analysis is provided for informational purposes and does not constitute professional security advice. Always verify affected product versions, patch availability, and deployment impact through official Microsoft security advisories and your organization's change management process. Conduct thorough testing in non-production environments before deploying patches to production systems. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and recommends consulting with your internal security team and Microsoft support for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).