CVE-2026-45483: Microsoft SharePoint Server XSS Vulnerability – Spoofing Risk for Authenticated Users
Microsoft Office Project Server contains a cross-site scripting (XSS) vulnerability that allows an authenticated user to inject malicious code into web pages viewed by others. An attacker would need valid login credentials and would require a victim to interact with a crafted link or page element. The injected code runs in the victim's browser in the context of Project Server, enabling spoofing attacks such as credential theft or unauthorized actions on behalf of the user. This is a moderate-severity issue that primarily affects organizations where Project Server access is restricted to authenticated users.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.6 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Project Server allows an authorized attacker to perform spoofing over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45483 is a stored or reflected XSS vulnerability (CWE-79) in Microsoft Office Project Server's web page generation logic. The flaw stems from insufficient input validation or output encoding when processing user-supplied data. Because the vulnerability requires PR:L (authenticated attacker) and UI:R (user interaction), the attack surface is narrower than unauthenticated XSS. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) indicates network-accessible exploitation, low attack complexity, limited confidentiality and integrity impact, and no availability impact. The vulnerability does not escape the security context (S:U), meaning the attacker cannot elevate privileges or affect other authentication domains.
Business impact
Organizations running Project Server should assess exposure based on user base and trust boundaries. The spoofing capability poses a social engineering and credential-harvesting risk, particularly in environments where Project Server users manage sensitive project data or approve resource allocations. Attackers with employee or contractor credentials could craft convincing phishing campaigns within the trusted Project Server domain, potentially leading to unauthorized access, data exfiltration, or manipulation of project timelines and budgets. Teams heavily reliant on Project Server for governance and audit trails should evaluate whether XSS-based spoofing could undermine compliance or integrity controls.
Affected systems
Microsoft SharePoint Server deployments that include Project Server functionality are affected. The source data identifies multiple affected product editions or service pack levels under the Microsoft SharePoint Server umbrella (exact version details should be verified in the official Microsoft security advisory). Organizations should consult Microsoft's published guidance to confirm whether their specific Project Server build is included in the vulnerable range. Project Server is typically deployed in hybrid or on-premises scenarios, though some organizations may access it through managed services.
Exploitability
Exploitation requires an authenticated attacker with valid Project Server credentials, significantly reducing the threat actor pool. The attack mandates user interaction (UI:R), meaning the victim must click a link, submit a form, or view a malicious page element. No CVSS data indicates active exploitation in the wild (KEV status: not added), suggesting limited known public weaponization at the time of analysis. However, the low attack complexity means that once an attacker has credentials, crafting a convincing XSS payload is straightforward. Organizations with strict role-based access controls and user activity monitoring may detect exploitation attempts.
Remediation
Apply the security patch released by Microsoft for CVE-2026-45483 (verify specific version numbers and KB article in the official Microsoft Security Update Guide). Most organizations will deploy patches through Windows Update, WSUS, or manual update processes depending on their infrastructure. Patch deployment should be coordinated across all Project Server instances and clients to maintain consistency. Until patches are applied, consider restricting Project Server access to trusted networks or enforcing additional authentication factors for sensitive operations.
Patch guidance
Consult the Microsoft Security Update Guide (portal.msrc.microsoft.com) and Microsoft SharePoint Server documentation for the specific KB article and build numbers addressing CVE-2026-45483. Verify compatibility with your current Project Server version, build, and dependent applications before deploying patches to production. Test patches in a staging environment that mirrors your production setup. Given the moderate CVSS score and authenticated-only attack vector, patch deployment can be sequenced with other monthly updates unless your organization has high XSS-sensitive use cases. Ensure all Project Server front-ends and potentially associated web applications are updated consistently.
Detection guidance
Monitor Project Server web logs for unusual script injection patterns in query parameters, POST data, or user-supplied fields. Look for encoded or obfuscated JavaScript payloads (script tags, event handlers like onerror, onload, etc.). Correlate suspicious requests with subsequent user activity from unexpected IP addresses or sessions. Enable detailed audit logging on Project Server to track modifications to web pages, templates, or user-visible content. User reports of unexpected page behavior, pop-ups, or credential prompts in Project Server warrant investigation. Endpoint detection and response (EDR) tools may flag malicious script execution in browser processes initiated from Project Server URLs. Web application firewalls (WAF) configured to block common XSS payloads can provide an interim control.
Why prioritize this
While the CVSS score is moderate (4.6), prioritization depends on your Project Server exposure and user trust dynamics. Organizations with hundreds of Project Server users should treat this as higher priority because XSS spoofing within a trusted application can be highly effective for social engineering. Conversely, organizations with minimal Project Server adoption or strong phishing awareness training may deprioritize relative to critical vulnerabilities. The lack of KEV listing and active exploitation indicates this is not an emergency, but the spoofing vector makes it more than a low-level information disclosure. Patch within your standard security update cycle (30–60 days), accelerating if your Project Server controls authorization decisions or sensitive workflows.
Risk score, explained
The CVSS 3.1 score of 4.6 (MEDIUM) reflects the requirement for authenticated access and user interaction, which substantially reduces risk compared to unauthenticated XSS. The limited impact scope (confidentiality and integrity only, no availability) further constrains the score. However, the network-accessible attack vector (AV:N) and low attack complexity (AC:L) prevent the score from dropping to LOW. In context, the spoofing capability and potential for credential harvesting elevate the practical risk in trust-sensitive environments. Organizations should not dismiss this as purely low-risk due to the MEDIUM label; rather, interpret the score as 'moderate severity for authenticated users in a trusted application,' which may warrant faster patching than a similar score in a public-facing service.
Frequently asked questions
Can this vulnerability be exploited without a valid Project Server account?
No. The CVSS vector PR:L (Privileges Required: Low) indicates the attacker must be an authenticated user. Anyone without valid credentials cannot exploit this vulnerability. This is a significant mitigating factor compared to unauthenticated XSS flaws.
What is 'spoofing' in the context of this XSS vulnerability?
Spoofing in this case means an attacker can manipulate the appearance or content of Project Server pages to trick users into believing they are interacting with legitimate Project Server features. For example, a malicious script could display a fake login prompt, hide warnings, or inject unauthorized content to deceive victims into revealing credentials or performing actions they would not normally authorize.
Do we need to patch Project Server immediately, or can we wait for the next regular update cycle?
Given the CVSS score of 4.6 and the requirement for user interaction and authentication, patching within your standard security update cycle (typically 30–60 days) is reasonable unless you have a high-risk user population or sensitive workflows in Project Server. Organizations with advanced persistent threat (APT) concerns or high-value targets should prioritize earlier deployment. Monitor your environment for suspicious activity and consider interim controls such as web filtering or additional authentication for sensitive Project Server operations.
How does this XSS vulnerability differ from other Project Server security issues?
This vulnerability is specific to web page generation, meaning it affects the user interface and browser-side interactions. Unlike vulnerabilities affecting the server's core logic or data storage, this XSS flaw does not grant direct access to the database or server files. However, its spoofing capability makes it particularly effective for social engineering and credential harvesting, which are often the first stage of a broader attack. Its impact is amplified in organizations where Project Server users trust the application to perform sensitive approvals or allocations.
This analysis is provided for informational purposes and reflects publicly available information current as of the publication date. SEC.co does not perform original code analysis or independent vulnerability verification. Verify all patch version numbers, KB articles, and affected product editions directly against Microsoft's official security advisories. Your organization's risk assessment should account for local threat models, user populations, and business criticality. This is not a substitute for professional security consulting or vendor guidance. Always test patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11150MEDIUMChrome XML UXSS Vulnerability – Patch Guide
- CVE-2026-11166MEDIUMChrome SVG Injection Vulnerability – 6.8 CVSS Medium Severity
- CVE-2026-11186MEDIUMChrome UXSS Vulnerability in CSS Rendering—Urgent Patch Required
- CVE-2026-11273MEDIUMGoogle Chrome Omnibox Script Injection Vulnerability (UXSS) – Patch 149.0.7827.53
- CVE-2026-33113MEDIUMMicrosoft SharePoint Cross-Site Scripting (XSS) Vulnerability Analysis
- CVE-2026-45453MEDIUMMicrosoft SharePoint Cross-Site Scripting (XSS) Vulnerability
- CVE-2026-45462MEDIUMSharePoint XSS Vulnerability – Spoofing Risk & Patch Guidance
- CVE-2026-45464MEDIUMSharePoint XSS Vulnerability – Spoofing Risk & Patching Guide