Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45483

CVE-2026-45483: Microsoft Project Server XSS Vulnerability

CVE-2026-45483 is a cross-site scripting flaw in Microsoft Office Project Server that enables authorized attackers to perform spoofing attacks. This article covers the technical details, affected systems, and mitigation.

Published:

CVE-2026-45483 Overview

CVE-2026-45483 is a stored cross-site scripting (XSS) vulnerability in Microsoft Office Project Server. The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. An authenticated attacker can inject crafted content that the server renders in another user's browser session. Successful exploitation enables spoofing actions over the network.

Exploitation requires the attacker to hold low-level privileges on the Project Server and requires the targeted user to interact with the malicious content. The impact is bounded to limited confidentiality and integrity loss, with no direct availability impact.

Critical Impact

An authenticated attacker can inject script content that executes in a victim's browser session, enabling spoofing of user interface elements and potential theft of session context within Microsoft Office Project Server.

Affected Products

  • Microsoft Office Project Server

Discovery Timeline

  • 2026-06-09 - CVE-2026-45483 published to the National Vulnerability Database (NVD)
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-45483

Vulnerability Analysis

The vulnerability resides in the web page generation logic of Microsoft Office Project Server. The application accepts user-controllable input through project fields, task data, or similar entity attributes and renders that input into HTML responses without sufficient encoding. When a victim views the affected page, the browser parses attacker-controlled markup as executable script.

The Exploit Prediction Scoring System (EPSS) assigns this issue a probability of 0.058% as of 2026-06-11, placing it in the 18.5th percentile. No public proof-of-concept code or in-the-wild exploitation has been reported.

Because Project Server is typically deployed within enterprise collaboration environments, the rendered script executes in the security context of the Project Server origin. This enables access to session cookies, document content, and any actions the victim is authorized to perform.

Root Cause

The root cause is missing or incomplete output encoding when reflecting user-supplied data into HTML responses. The server fails to apply context-appropriate sanitization for HTML, attribute, or JavaScript contexts before emitting the response, allowing markup characters to retain their syntactic meaning in the browser.

Attack Vector

The attack vector is network-based and requires the attacker to authenticate to Project Server with at least low privileges. The attacker stores malicious payload content in a field the application later renders to other users. When a privileged user views the affected page, the payload executes in their browser context. The vulnerability is described in detail in the Microsoft Security Update CVE-2026-45483 advisory.

The injected script can perform spoofing by altering displayed content, forging UI prompts, or initiating requests on behalf of the victim within the Project Server application.

Detection Methods for CVE-2026-45483

Indicators of Compromise

  • Project Server entity fields containing HTML tags such as <script>, <img onerror=>, or <svg onload=> patterns
  • Outbound HTTP requests from user browsers to unfamiliar domains immediately after loading Project Server pages
  • Unexpected authenticated actions performed under user accounts that recently viewed shared project content

Detection Strategies

  • Inspect Project Server application logs for write operations containing encoded or raw script syntax in user-editable fields
  • Deploy web application firewall rules that flag HTML or JavaScript syntax submitted to Project Server endpoints
  • Correlate browser telemetry with Project Server access logs to identify script execution originating from rendered project data

Monitoring Recommendations

  • Monitor IIS and SharePoint ULS logs associated with Project Server for anomalous POST payloads to project, task, or resource APIs
  • Track session activity for users viewing content authored by low-privilege accounts and flag unexpected privilege use
  • Alert on Content Security Policy (CSP) violation reports from Project Server origins

How to Mitigate CVE-2026-45483

Immediate Actions Required

  • Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-45483
  • Review existing Project Server content for stored script payloads in user-editable fields and sanitize affected records
  • Audit Project Server account privileges and remove unnecessary authoring rights from low-trust users

Patch Information

Microsoft has issued a security update addressing CVE-2026-45483. Administrators should consult the Microsoft Security Update Guide entry for CVE-2026-45483 for the applicable build numbers and deployment instructions for their Project Server version.

Workarounds

  • Enforce a restrictive Content Security Policy on Project Server responses to block inline script execution
  • Restrict project authoring permissions to trusted users until patches are deployed
  • Educate users to avoid interacting with project items from unknown or low-privilege contributors

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.