CVE-2026-45481: Microsoft SharePoint XSS Vulnerability (CVSS 7.3) – Patch & Detection Guide
A cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint allows an authenticated user to inject malicious scripts into web pages. An attacker with valid SharePoint access can craft a specially formed input that bypasses input validation, causing the server to generate pages containing attacker-controlled JavaScript. When other authorized users view the compromised page, their browser executes the injected script in the context of the SharePoint application, enabling the attacker to impersonate them, steal session tokens, or perform actions on their behalf. The vulnerability requires user interaction (clicking a link or visiting a page) but poses significant risk within organizations that rely on SharePoint for document management and collaboration.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45481 is a reflected or stored XSS vulnerability (CWE-79) stemming from improper input neutralization during web page generation in Microsoft SharePoint Server. The vulnerability exists in a code path accessible to authenticated users. Input validation and output encoding mechanisms fail to adequately sanitize user-supplied data before it is rendered into HTML responses. An attacker with valid SharePoint credentials can submit payloads containing JavaScript that execute in the security context of the victim's browser session. The CVSS 3.1 score of 7.3 (HIGH) reflects network accessibility, low attack complexity, requirement for low privileges (authenticated access), user interaction dependency, and impact on confidentiality and integrity without availability loss.
Business impact
Organizations using SharePoint face exposure to account compromise and lateral movement risk. An insider threat or compromised account can be leveraged to execute unauthorized actions masquerading as other users, including modifying documents, exfiltrating sensitive data, or escalating privileges. The spoofing capability means audit logs may incorrectly attribute malicious actions to innocent users, complicating forensics and compliance reporting. Teams, compliance officers, and knowledge workers who regularly access SharePoint are at elevated risk. The remediation window creates operational urgency given SharePoint's central role in enterprise content governance.
Affected systems
Microsoft SharePoint Server is the sole affected product family. The vulnerability applies across multiple versions of SharePoint Server; consult the official Microsoft security advisory for the complete list of impacted versions and build numbers. Organizations running on-premises SharePoint deployments are directly affected. SharePoint Online (cloud) versions should be verified against Microsoft's patch status, as cloud deployments may receive automatic updates.
Exploitability
Exploitation requires valid SharePoint authentication, limiting the attacker pool to users with account access or to external actors who have compromised a legitimate credential set. Once authenticated, the attack vector is network-based and does not require special privileges or complex technical setup—standard HTTP requests suffice. User interaction is mandatory; the victim must visit a malicious link or access a compromised page. The lack of active exploitation in the wild (KEV status: not listed) suggests either recent discovery or limited real-world weaponization as of the publication date. However, the straightforward nature of XSS attacks and the sensitivity of SharePoint environments mean opportunistic exploitation by insiders is a credible scenario.
Remediation
Apply security updates from Microsoft as they become available. Verify the specific patch versions through the official Microsoft Security Update Guide. Until patches are deployed, organizations should implement compensating controls: enforce Content Security Policy (CSP) headers to restrict script execution, conduct user awareness training emphasizing suspicious links, deploy Web Application Firewall (WAF) rules to detect XSS patterns, and review SharePoint permission models to minimize the number of users with content creation rights. Consider disabling unnecessary web parts and custom code if they are not business-critical.
Patch guidance
Monitor the Microsoft Security Update Guide and the Microsoft SharePoint Server security advisory page for patch release announcements. Patches will be released in security updates (typically on Patch Tuesday or as out-of-band releases). Test patches in a non-production environment before broad deployment to confirm compatibility with custom solutions and third-party integrations. Prioritize patching systems that host sensitive or highly-accessed content. For SharePoint Online, Microsoft typically applies patches automatically; verify your tenant's update status in the Microsoft 365 admin center. Document the patching date and affected versions for compliance and audit purposes.
Detection guidance
Monitor SharePoint Server logs for HTTP requests containing JavaScript payload signatures (script tags, event handlers like 'onerror', 'onload', etc.) in query parameters or POST bodies. Implement IDS/IPS rules targeting XSS patterns. Enable audit logging in SharePoint to capture changes to list items and page content; establish baselines for normal activity and alert on unusual modifications. Use SIEM correlation to identify sessions where a user views a potentially malicious page and then performs unexpected administrative actions. Search web server logs (IIS) for encoded XSS payloads (e.g., %3Cscript%3E variations). Endpoint Detection and Response (EDR) solutions may flag suspicious script execution originating from browser processes accessing SharePoint URLs.
Why prioritize this
Despite the HIGH CVSS score of 7.3, this vulnerability warrants urgent but measured prioritization. The requirement for authenticated access limits blast radius compared to unauthenticated XSS flaws, but SharePoint's role in business-critical workflows elevates impact. Insider threat and credential compromise scenarios are realistic. The absence of KEV listing and active exploitation reduces immediate pressure, allowing time for careful testing and staged deployment. Organizations should patch within 30 days; those with restrictive access controls and low SharePoint usage may extend this window slightly. High-sensitivity environments handling intellectual property or regulated data should patch within 2 weeks.
Risk score, explained
The CVSS 3.1 score of 7.3 reflects: (1) network-based attack surface requiring no special network positioning, (2) low attack complexity—standard XSS techniques apply with no race conditions or special timing, (3) requirement for low-level authenticated access—a legitimate user account suffices, not administrator rights, (4) essential user interaction—the victim must be tricked into visiting a malicious link, (5) unchanged scope—impact is confined to the SharePoint application and the victim's session, (6) high confidentiality impact—session hijacking enables access to sensitive SharePoint content, (7) high integrity impact—injected scripts can modify or delete data, and (8) no availability impact—the attack does not crash the service or exhaust resources. The score would be higher if authentication were not required or if user interaction were eliminated.
Frequently asked questions
Can an attacker exploit this vulnerability without a valid SharePoint account?
No. The vulnerability requires the attacker to be authenticated to SharePoint or to trick an authenticated user into visiting a malicious link. External attackers without credentials cannot directly trigger the flaw; however, they can craft URLs or phishing emails to social-engineer legitimate users into clicking malicious links that execute the payload in the victim's authenticated session.
Is SharePoint Online affected, or only on-premises SharePoint Server?
The CVE applies to Microsoft SharePoint Server (on-premises). SharePoint Online in Microsoft 365 is a separate service and may have different security properties. Consult Microsoft's official advisory to confirm whether your SharePoint Online tenant requires action. Cloud deployments typically receive patches automatically and with minimal notice to administrators.
What is the difference between reflected and stored XSS, and does it matter for this vulnerability?
Reflected XSS executes when a user visits a crafted URL; stored XSS persists in the database and affects all users who view the compromised content. The distinction affects risk scope: stored XSS on a heavily-accessed SharePoint page endangers many users, while reflected XSS requires individual social engineering. The CVE description does not explicitly state the type; your patch advisory should clarify. Regardless, both forms enable session hijacking and impersonation.
Should we disable SharePoint until patches are available?
No. Complete service shutdown is disproportionate. Instead, implement mitigating controls: enforce strict Content Security Policy headers, review file upload and page customization permissions, conduct user training, and monitor for suspicious activity. Apply patches as soon as they are tested and validated in your environment. Organizations with robust access controls and low-risk content may safely operate while awaiting patches, provided monitoring is active.
This analysis is provided for informational purposes and represents SEC.co's professional assessment as of the publication date. Patch versions, timelines, and affected product lists must be verified against the official Microsoft Security Update Guide and product advisories; do not rely solely on this summary for compliance or deployment decisions. Organizations are responsible for testing patches in their environments before production deployment. The absence of active exploitation or KEV listing does not guarantee immunity from attack and should not delay security planning. CVSS scores represent severity but do not account for organizational risk context; adjust prioritization based on your asset inventory, access controls, and threat model. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41098HIGHAzure Stack Edge XSS Vulnerability (CVSS 8.4) – High-Severity Admin Interface Spoofing
- CVE-2026-45644HIGHXSS in Microsoft Live Share Canvas SDK Poses Insider Threat Risk
- CVE-2026-47631HIGHMicrosoft Exchange Server XSS Vulnerability – Spoofing Risk
- CVE-2026-47634HIGHSharePoint Output Injection Spoofing Vulnerability
- CVE-2026-11150MEDIUMChrome XML UXSS Vulnerability – Patch Guide
- CVE-2026-11166MEDIUMChrome SVG Injection Vulnerability – 6.8 CVSS Medium Severity
- CVE-2026-11186MEDIUMChrome UXSS Vulnerability in CSS Rendering—Urgent Patch Required
- CVE-2026-11273MEDIUMGoogle Chrome Omnibox Script Injection Vulnerability (UXSS) – Patch 149.0.7827.53