CVE-2026-45468: Microsoft SharePoint Server XSS Vulnerability

CVE-2026-45468 Overview

CVE-2026-45468 is a stored cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint Server. The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. An authenticated attacker with low privileges can inject script content that executes in the browser context of another SharePoint user, enabling spoofing of trusted UI elements over the network.

Microsoft published the advisory on June 9, 2026. The vulnerability requires user interaction and changes the security scope, allowing impact beyond the vulnerable component.

Critical Impact
Authenticated attackers can inject malicious scripts into SharePoint pages, spoofing trusted content and harvesting session data from victims who view the affected page.

Affected Products

Microsoft SharePoint Server Subscription Edition
Microsoft SharePoint Server 2019
Microsoft SharePoint Server 2016 Enterprise

Discovery Timeline

2026-06-09 - CVE-2026-45468 published to NVD
2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-45468

Vulnerability Analysis

The vulnerability is a stored cross-site scripting flaw in SharePoint Server's web page generation pipeline. SharePoint fails to properly neutralize user-controlled input before rendering it in HTML responses. When a victim loads the affected page, attacker-supplied script executes in the victim's browser under the SharePoint origin.

The scope is classified as changed, indicating that injected script can affect resources beyond the vulnerable SharePoint component. This typically manifests as the script reaching other applications, frames, or cross-origin contexts trusted by the victim. The primary impact is spoofing — attackers can manipulate page content to impersonate legitimate SharePoint interfaces.

Exploitation requires the attacker to hold a valid low-privileged SharePoint account and requires a victim to interact with the malicious content. The attack vector is network-based, meaning the attacker does not need local access to the SharePoint server.

Root Cause

The root cause is missing or incomplete output encoding in a SharePoint page-generation routine. User-supplied input flows from a persistent store into HTML output without contextual sanitization. Because the input is stored server-side, the payload triggers each time a user loads the affected resource.

Attack Vector

An authenticated attacker submits crafted input through a SharePoint feature that accepts user content, such as list items, page fields, or web part properties. SharePoint persists the payload and serves it within HTML markup. When another authenticated user — typically a higher-privileged collaborator — opens the affected page, the embedded script executes in their browser session. The attacker uses this execution to render fake login prompts, modify page content, or exfiltrate session tokens.

No public proof-of-concept exploit is available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.06%.

Detection Methods for CVE-2026-45468

Indicators of Compromise

SharePoint list items, page fields, or web part properties containing <script>, javascript:, or HTML event handler attributes such as onerror= and onload=.
Unexpected outbound HTTP requests from user browsers to attacker-controlled domains after loading SharePoint pages.
Anomalous edits to SharePoint content by low-privileged accounts immediately followed by access from privileged users.

Detection Strategies

Inspect SharePoint content databases and audit logs for input fields containing HTML or script tokens that should be plain text.
Correlate SharePoint ItemUpdated and ItemAdded events with subsequent page-render activity by different user accounts.
Deploy Content Security Policy (CSP) reporting endpoints to capture script-source violations on SharePoint origins.

Monitoring Recommendations

Enable SharePoint Unified Logging Service (ULS) and audit logging for content modifications across site collections.
Forward SharePoint audit events and IIS logs to a centralized SIEM for cross-user behavioral correlation.
Monitor for privileged users accessing pages recently modified by external or guest accounts.

How to Mitigate CVE-2026-45468

Immediate Actions Required

Apply the Microsoft security update referenced in the Microsoft Security Update Guide for CVE-2026-45468.
Review SharePoint site permissions and remove unnecessary contributor-level access from untrusted accounts.
Audit recent content modifications in publicly accessible site collections for embedded HTML or script payloads.

Patch Information

Microsoft has released security updates addressing CVE-2026-45468 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Refer to the Microsoft Security Update Guide for the specific KB articles and binary versions applicable to each deployment.

Workarounds

Restrict contributor and edit permissions on SharePoint sites to trusted users only until patches are deployed.
Enforce a strict Content Security Policy on SharePoint origins to limit inline script execution.
Disable custom script support on self-service-created sites using the Set-SPOSite -DenyAddAndCustomizePages setting where applicable.

bash

# Disable custom script execution on SharePoint sites (SharePoint Online cmdlet shown for reference)
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/example -DenyAddAndCustomizePages 1