MEDIUM 4.6

CVE-2026-47640: Microsoft SharePoint XSS Vulnerability – MEDIUM Severity Spoofing Risk

Microsoft Office SharePoint contains a cross-site scripting (XSS) vulnerability that allows an authenticated attacker to inject malicious scripts into web pages. When a user with appropriate permissions views a compromised page, the injected script executes in their browser, potentially allowing the attacker to steal session tokens, modify page content, or redirect users to malicious sites. This is a reflected or stored XSS flaw depending on how SharePoint processes and stores the unfiltered input.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.6 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
3 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47640 is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability affecting Microsoft SharePoint Server. The vulnerability stems from insufficient input sanitization during web page generation, permitting an authenticated attacker to inject arbitrary HTML and JavaScript. The attack requires user interaction (UI:R in the CVSS vector) and does not require elevated privileges beyond standard SharePoint access. Network-based exploitation is possible, and the attack scope is unchanged—impact is limited to confidentiality and integrity of the affected user's session and displayed content.

Business impact

SharePoint is often used for document collaboration, intranet portals, and sensitive data sharing across organizations. A successful XSS attack could result in credential theft, unauthorized access to sensitive documents, defacement of internal communications, or social engineering attacks launched from trusted internal platforms. For organizations using SharePoint for compliance-critical processes, this could undermine trust in the platform and lead to temporary service disruption during remediation. Attackers with valid SharePoint credentials—whether internal, compromised, or from a supply-chain partner—pose the immediate risk.

Affected systems

Microsoft SharePoint Server (multiple versions listed in vendor advisory). Organizations running on-premises SharePoint Server deployments are affected. SharePoint Online (Microsoft 365) status should be verified against the vendor advisory, as cloud versions may be patched separately or may not be vulnerable. Confirm exact version numbers and deployment models in your environment against the official Microsoft security bulletin.

Exploitability

Exploitability is moderate. The vulnerability requires an attacker to have valid SharePoint credentials (authorized user status), reducing the threat surface compared to unauthenticated flaws. However, such credentials are often distributed across large organizations or may be obtained through phishing or insider threat. User interaction is required—the victim must visit a page containing the injected payload—but this is a low bar in an intranet environment where users trust internal links. No known public exploit exists as of the advisory date, but the simplicity of XSS attacks means exploitation code is straightforward once the injection point is identified.

Remediation

Apply the security update provided by Microsoft for your specific SharePoint Server version and deployment configuration. Microsoft typically provides cumulative updates or security-only patches. Test patches in a non-production environment first, as SharePoint updates can affect site behavior and custom solutions. Concurrently, audit user permissions to ensure least-privilege access to SharePoint sites and libraries. For defense-in-depth, implement Content Security Policy (CSP) headers where possible, though on-premises SharePoint customization is required.

Patch guidance

Obtain the latest security update from the Microsoft Update Catalog or through Windows Server Update Services (WSUS). The exact patch version number depends on your current SharePoint Server version; verify against the official Microsoft security bulletin (typically a KB article). After applying patches, verify via the SharePoint Central Administration or by checking the installed update history. Plan updates during maintenance windows, as SharePoint farms may require brief service interruptions. Test for compatibility with third-party add-ins and custom solutions before production deployment.

Detection guidance

Monitor SharePoint logs (ULS logs, if available) for unusual POST requests to web page generation endpoints, particularly those containing script-like payloads (< >, script tags, javascript: protocol). Implement web application firewall (WAF) rules to detect and block common XSS patterns at the network perimeter if SharePoint is exposed. Search audit logs for modification of pages or web parts by low-privilege accounts. Endpoint Detection and Response (EDR) tools should flag JavaScript execution from SharePoint contexts that deviate from normal admin or development activity. Review IIS logs for requests containing encoded XSS signatures.

Why prioritize this

This vulnerability warrants prompt but not emergency patching. The CVSS score of 4.6 (MEDIUM) reflects the requirement for authentication and user interaction, reducing immediate blast radius. However, SharePoint is often central to organizational workflows, and compromised accounts or internal threat actors can easily exploit this flaw to steal data or impersonate communications. It does not currently appear in the CISA Known Exploited Vulnerabilities catalog, suggesting no active weaponization at time of advisory. Prioritize based on your organization's risk tolerance for insider threats and the sensitivity of data in SharePoint.

Risk score, explained

The CVSS v3.1 score of 4.6 reflects a MEDIUM severity rating. The vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N indicates: Network-accessible attack vector (AV:N) with low attack complexity (AC:L), but requires low privileges (PR:L—valid user credentials) and requires user interaction (UI:R—victim must visit a malicious page). Confidentiality and Integrity are slightly impacted (C:L, I:L), but Availability is not affected (A:N). This scoring appropriately penalizes the authentication requirement while acknowledging the ease of exploitation once access is obtained.

Frequently asked questions

Is this vulnerability being actively exploited?

As of the advisory date (June 2026), this vulnerability does not appear on the CISA Known Exploited Vulnerabilities list, indicating no confirmed active exploitation in the wild. However, XSS flaws are well-understood attack vectors, and proof-of-concept code is likely to emerge quickly once the advisory is widely publicized.

Do we need to patch SharePoint Online (Microsoft 365)?

The affected products listed are SharePoint Server (on-premises). Microsoft 365 SharePoint Online may have a different vulnerability status. Check the official Microsoft security bulletin for your specific tenant and service model. Microsoft typically patches cloud services independently and on their own schedule.

What if our organization relies heavily on SharePoint for sensitive workflows?

Implement compensating controls while awaiting patch deployment: restrict SharePoint access to trusted networks only, enforce multi-factor authentication (MFA) for all SharePoint users, reduce the number of accounts with page-editing permissions, and monitor audit logs closely. These steps reduce attack surface even before patches are applied.

Can we mitigate this without patching?

Full mitigation requires the security update. However, organizations can reduce risk by disabling unused web parts, restricting custom JavaScript in site definitions, and implementing strict Content Security Policy headers if your SharePoint configuration permits. These are stopgaps only and should not replace prompt patching.

This analysis is provided for informational purposes and reflects publicly available advisory data as of the publication date. Vulnerability details, patch availability, and exploitation status may change. Organizations should verify all affected product versions, patch release dates, and compatibility notes against official Microsoft security bulletins and vendor advisories. SEC.co makes no warranty regarding the completeness or timeliness of this analysis. Always conduct your own testing and validation before applying security patches to production systems. Security decisions should be informed by your organization's risk management policies and threat model. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).