HIGH 7.3

CVE-2026-47634: SharePoint Output Injection Spoofing Vulnerability

A vulnerability in Microsoft Office SharePoint allows someone with valid access to inject malicious content that tricks downstream components into displaying fake or spoofed information to other users. The attacker must have legitimate credentials and convince a user to interact with the malicious content, but once triggered, the attack succeeds reliably and can achieve high impact by either stealing sensitive data or modifying what users see.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-74, CWE-79
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-07-09

NVD description (verbatim)

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47634 is an output encoding failure (CWE-74, CWE-79) in SharePoint that permits improper neutralization of special elements in data passed to downstream rendering components. An authenticated attacker can craft payloads that bypass output encoding, resulting in context-dependent injection. The CVSS 3.1 score of 7.3 (HIGH) reflects network-accessible attack surface, low attack complexity, required authenticated access, user interaction dependency, and high impact to confidentiality and integrity.

Business impact

SharePoint spoofing attacks can undermine trust in internal communications, enable phishing against users who believe they are reading authentic content from trusted sources, facilitate credential harvesting, and potentially spread malware disguised as legitimate internal resources. Given SharePoint's role in document management and team collaboration, successful exploitation could compromise sensitive intellectual property or financial data that appears to come from legitimate internal actors.

Affected systems

Microsoft SharePoint Server is affected. Exact version scope should be verified against the official Microsoft security advisory to determine which product editions and update levels are impacted and whether cloud-hosted (SharePoint Online) or on-premises deployments carry the same risk.

Exploitability

Exploitation requires valid SharePoint user credentials and successful social engineering to trigger user interaction with the malicious content. There is no evidence of active exploitation in the wild (not listed on CISA KEV). However, the low attack complexity and straightforward injection mechanism mean that once discovered, reliable exploits are likely to emerge quickly. The barrier to entry is moderate for insiders but higher for external threat actors.

Remediation

Apply patches from Microsoft as soon as they become available through standard SharePoint update channels. Until patching is complete, restrict SharePoint access to trusted internal users and networks, monitor for unusual content creation or modification patterns, and educate users to verify the source and authenticity of sensitive communications arriving through SharePoint.

Patch guidance

Monitor Microsoft's official security bulletins and the SharePoint product update schedule for patched versions. Prioritize deployment in non-production environments first to validate compatibility. Verify patch applicability for your specific SharePoint edition (Server 2019, 2016, or other variants) before production rollout. Test collaborative workflows and third-party integrations post-patch to ensure no regressions.

Detection guidance

Monitor SharePoint content audit logs for unusual submissions or modifications containing special characters, script tags, or encoded payloads in documents and list items. Flag any rapid creation of content followed by user clicks on suspicious links. Review SharePoint search query logs and click-through patterns for evidence of users accessing spoofed content. Correlate with email gateway logs if SharePoint links are shared externally or in forwarded communications.

Why prioritize this

Although not yet in CISA's KEV catalog, the HIGH severity rating, low attack complexity, and SharePoint's pervasive use in enterprise environments warrant prompt attention. Spoofing attacks are particularly effective in organizations that rely on SharePoint for trusted internal communication. The authentication requirement limits attack surface but not urgency, since insiders and compromised accounts present realistic threats.

Risk score, explained

The 7.3 CVSS score reflects high confidentiality and integrity impact (users can be deceived into disclosing or modifying sensitive information), combined with network accessibility and low attack complexity. The requirement for prior authentication and user interaction prevents a maximum score, but the attack is still reliably exploitable by insiders and creates meaningful risk to data integrity and organizational trust.

Frequently asked questions

Do we need to patch immediately if SharePoint is behind a firewall and only accessible to employees?

Yes. Insiders with valid accounts—especially those with content creation privileges—represent a realistic threat vector. A disgruntled employee or compromised account could inject spoofed content targeting executives or sensitive teams. Patching should not be delayed based solely on network segmentation.

What's the difference between this spoofing vulnerability and a typical Cross-Site Scripting (XSS) flaw?

Both involve improper output encoding, but spoofing specifically manipulates what users perceive the message or document *sender* or *source* to be, rather than executing arbitrary scripts in the browser. The attacker's goal is deception and trust exploitation, not necessarily code execution. That said, injection flaws can enable both XSS and spoofing depending on the payload and context.

Is SharePoint Online affected, or only on-premises SharePoint Server?

The source data confirms SharePoint Server is affected; you must verify against Microsoft's official advisory whether SharePoint Online or other cloud offerings carry the same vulnerability. Microsoft typically patches cloud services automatically, but affected on-premises customers must apply patches manually.

How should we communicate this risk to users before patches are available?

Advise users to verify the authenticity of sensitive SharePoint documents through secondary channels (direct conversation, email signature verification, known contact methods) if the content requests action or contains unexpected information. Remind them that internal communications should not ask for passwords or financial data, regardless of apparent source.

This analysis is based on the official vulnerability description and CVSS assessment as of the publication date. Specific product versions, patch availability, and exploit status may evolve. Organizations must verify all remediation guidance against Microsoft's official security bulletins and their own environment configurations. SEC.co makes no warranty regarding the completeness or timeliness of this intelligence and assumes no liability for decisions made in reliance on it. Always conduct your own risk assessment and consult with your vendor and security team before implementing changes. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).