CVE-2026-45483 Overview
CVE-2026-45483 is a stored cross-site scripting (XSS) vulnerability in Microsoft Office Project Server. The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. An authenticated attacker can inject crafted content that the server renders in another user's browser session. Successful exploitation enables spoofing actions over the network.
Exploitation requires the attacker to hold low-level privileges on the Project Server and requires the targeted user to interact with the malicious content. The impact is bounded to limited confidentiality and integrity loss, with no direct availability impact.
Critical Impact
An authenticated attacker can inject script content that executes in a victim's browser session, enabling spoofing of user interface elements and potential theft of session context within Microsoft Office Project Server.
Affected Products
- Microsoft Office Project Server
Discovery Timeline
- 2026-06-09 - CVE-2026-45483 published to the National Vulnerability Database (NVD)
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-45483
Vulnerability Analysis
The vulnerability resides in the web page generation logic of Microsoft Office Project Server. The application accepts user-controllable input through project fields, task data, or similar entity attributes and renders that input into HTML responses without sufficient encoding. When a victim views the affected page, the browser parses attacker-controlled markup as executable script.
The Exploit Prediction Scoring System (EPSS) assigns this issue a probability of 0.058% as of 2026-06-11, placing it in the 18.5th percentile. No public proof-of-concept code or in-the-wild exploitation has been reported.
Because Project Server is typically deployed within enterprise collaboration environments, the rendered script executes in the security context of the Project Server origin. This enables access to session cookies, document content, and any actions the victim is authorized to perform.
Root Cause
The root cause is missing or incomplete output encoding when reflecting user-supplied data into HTML responses. The server fails to apply context-appropriate sanitization for HTML, attribute, or JavaScript contexts before emitting the response, allowing markup characters to retain their syntactic meaning in the browser.
Attack Vector
The attack vector is network-based and requires the attacker to authenticate to Project Server with at least low privileges. The attacker stores malicious payload content in a field the application later renders to other users. When a privileged user views the affected page, the payload executes in their browser context. The vulnerability is described in detail in the Microsoft Security Update CVE-2026-45483 advisory.
The injected script can perform spoofing by altering displayed content, forging UI prompts, or initiating requests on behalf of the victim within the Project Server application.
Detection Methods for CVE-2026-45483
Indicators of Compromise
- Project Server entity fields containing HTML tags such as <script>, <img onerror=>, or <svg onload=> patterns
- Outbound HTTP requests from user browsers to unfamiliar domains immediately after loading Project Server pages
- Unexpected authenticated actions performed under user accounts that recently viewed shared project content
Detection Strategies
- Inspect Project Server application logs for write operations containing encoded or raw script syntax in user-editable fields
- Deploy web application firewall rules that flag HTML or JavaScript syntax submitted to Project Server endpoints
- Correlate browser telemetry with Project Server access logs to identify script execution originating from rendered project data
Monitoring Recommendations
- Monitor IIS and SharePoint ULS logs associated with Project Server for anomalous POST payloads to project, task, or resource APIs
- Track session activity for users viewing content authored by low-privilege accounts and flag unexpected privilege use
- Alert on Content Security Policy (CSP) violation reports from Project Server origins
How to Mitigate CVE-2026-45483
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-45483
- Review existing Project Server content for stored script payloads in user-editable fields and sanitize affected records
- Audit Project Server account privileges and remove unnecessary authoring rights from low-trust users
Patch Information
Microsoft has issued a security update addressing CVE-2026-45483. Administrators should consult the Microsoft Security Update Guide entry for CVE-2026-45483 for the applicable build numbers and deployment instructions for their Project Server version.
Workarounds
- Enforce a restrictive Content Security Policy on Project Server responses to block inline script execution
- Restrict project authoring permissions to trusted users until patches are deployed
- Educate users to avoid interacting with project items from unknown or low-privilege contributors
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

