CVE-2026-45453 Overview
CVE-2026-45453 is a cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint Server. The flaw results from improper neutralization of user-controlled input during web page generation [CWE-79]. An authenticated attacker can inject script content that executes in another user's browser session, enabling spoofing across a network. Exploitation requires both attacker privileges and user interaction, such as clicking a crafted link or visiting a poisoned SharePoint page. Successful attacks lead to a scope change, exposing data and integrity in components beyond the vulnerable SharePoint instance. Microsoft documents the issue in its Microsoft CVE-2026-45453 Advisory.
Critical Impact
An authorized attacker can inject malicious script that executes in a victim's browser, enabling spoofing, session abuse, and theft of SharePoint content within the user's authorization context.
Affected Products
- Microsoft SharePoint Server Subscription Edition
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016 Enterprise
Discovery Timeline
- 2026-06-09 - CVE-2026-45453 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-45453
Vulnerability Analysis
The vulnerability is a stored or reflected cross-site scripting flaw in Microsoft Office SharePoint Server. SharePoint generates web pages that include user-supplied data without sufficient encoding or sanitization. An authenticated attacker with low privileges can submit input containing HTML or JavaScript payloads. When another SharePoint user renders the affected page, the injected script executes in that user's browser under the SharePoint origin. The scope change indicates the impact extends beyond the SharePoint authorization boundary, affecting the browser security context of the victim. The Microsoft advisory categorizes the resulting harm as spoofing, where the attacker can present forged content, manipulate links, or impersonate trusted interface elements.
Root Cause
The root cause is improper neutralization of input during web page generation, classified under [CWE-79]. SharePoint fails to apply context-appropriate output encoding to attacker-controlled values before embedding them in HTML responses. Server-side handlers accept input that flows directly into rendered markup, allowing <script> tags, event handlers, and other active content to survive into the response.
Attack Vector
The attack is network-based and requires the attacker to hold valid SharePoint credentials. The attacker stores a payload in a SharePoint resource — for example, a list item, document property, page field, or web part — or constructs a URL that reflects script back to a victim. The victim must interact with the malicious content, such as opening the affected page. Because the vulnerability triggers a scope change, the injected script can interact with resources outside the original component, increasing the surface for credential theft, UI redress, and spoofing of SharePoint workflows.
No public proof-of-concept exploit code is referenced in the NVD entry, and the EPSS probability remains low.
Detection Methods for CVE-2026-45453
Indicators of Compromise
- SharePoint list items, page fields, or document metadata containing <script>, javascript:, or event-handler attributes such as onerror= and onload=.
- HTTP requests to SharePoint endpoints with URL parameters carrying encoded HTML entities or unusual angle-bracket sequences.
- Outbound browser requests from authenticated SharePoint users to unfamiliar domains immediately after rendering SharePoint pages.
Detection Strategies
- Inspect SharePoint Unified Logging Service (ULS) logs and IIS request logs for parameter values containing script tags or HTML control characters.
- Apply Web Application Firewall (WAF) rules that flag XSS payload patterns submitted to SharePoint _layouts, _api, and _vti_bin endpoints.
- Hunt across content databases for stored fields whose values include script syntax or unexpected HTML.
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting and monitor violation reports originating from SharePoint domains.
- Alert on browser process spawning anomalies or unusual document.cookie access patterns from endpoints that recently accessed SharePoint.
- Correlate authenticated SharePoint sessions with outbound traffic to newly registered or low-reputation domains.
How to Mitigate CVE-2026-45453
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2026-45453 Advisory to all affected SharePoint Server editions.
- Inventory SharePoint farms and identify any 2016 Enterprise, 2019, and Subscription Edition instances exposed to internal or external users.
- Audit recently modified list items, pages, and document properties for script content prior to patching.
Patch Information
Microsoft has released a security update for CVE-2026-45453 covering SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 Enterprise. Administrators should consult the Microsoft Security Response Center advisory for the specific build numbers and deploy through standard SharePoint patching procedures, including running the SharePoint Products Configuration Wizard after binary installation.
Workarounds
- Restrict SharePoint authoring permissions so that only trusted accounts can create or edit list items, pages, and web parts until patching is complete.
- Enforce a strict Content Security Policy on SharePoint sites to limit inline script execution.
- Require multi-factor authentication for SharePoint accounts to reduce the pool of attackers who can satisfy the authentication precondition.
- Educate users to avoid clicking unsolicited SharePoint links, since exploitation requires user interaction.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
