Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47636

CVE-2026-47636: Microsoft SharePoint Server XSS Vulnerability

CVE-2026-47636 is a cross-site scripting flaw in Microsoft SharePoint Server that allows authorized attackers to perform spoofing attacks over a network. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-47636 Overview

CVE-2026-47636 is a stored cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint. The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. An authorized attacker with low privileges can inject script content that executes in another user's browser session, enabling spoofing attacks across the network.

Exploitation requires user interaction and authenticated access to the SharePoint instance. The scope change in the CVSS vector indicates that injected content can affect resources beyond the vulnerable component.

Critical Impact

Authenticated attackers can inject scripts that execute in the context of other SharePoint users, enabling content spoofing and limited data exposure across affected sites.

Affected Products

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2016 Enterprise
  • Microsoft SharePoint Server 2019

Discovery Timeline

  • 2026-06-09 - CVE-2026-47636 published to the National Vulnerability Database
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-47636

Vulnerability Analysis

The vulnerability resides in SharePoint Server's web page generation pipeline. SharePoint fails to properly neutralize attacker-controlled input before reflecting or storing it in rendered HTML output. When another authenticated user views the affected page, the browser executes the injected script in the context of the SharePoint origin.

Because the CVSS scope is changed, script execution can reach resources beyond the immediate component, including content rendered from related site collections or embedded controls. The vulnerability is classified under [CWE-79], Improper Neutralization of Input During Web Page Generation.

The attack delivers spoofing rather than direct code execution on the server. An attacker can manipulate displayed content, capture session tokens accessible to script, or coerce victims into performing actions under their own privileges.

Root Cause

The root cause is insufficient output encoding of user-controllable fields rendered by SharePoint. Input that should be HTML-encoded or sanitized before insertion into the DOM is instead written into pages where browsers parse it as executable markup or script.

Attack Vector

The attack is network-based and requires the attacker to hold a low-privilege authenticated SharePoint account. The attacker plants malicious payload data into a SharePoint field, list item, or page component. A second authenticated user must then view the crafted resource, satisfying the user interaction requirement.

Once the victim loads the page, the injected script runs with the victim's SharePoint session. The attacker can alter rendered content, impersonate UI elements for phishing, or exfiltrate non-HttpOnly session data accessible from script.

No public proof-of-concept or in-the-wild exploitation has been reported. Refer to the Microsoft CVE-2026-47636 Advisory for vendor technical details.

Detection Methods for CVE-2026-47636

Indicators of Compromise

  • SharePoint list items, pages, or fields containing HTML tags such as <script>, <img onerror=>, or javascript: URIs in unexpected user-input fields.
  • IIS or SharePoint Unified Logging Service (ULS) entries showing POST requests with encoded script payloads to list or page editing endpoints.
  • Browser console errors or unexpected outbound requests originating from SharePoint page loads to attacker-controlled domains.

Detection Strategies

  • Inspect SharePoint content databases and list items for stored HTML or script markup in fields that should contain plain text.
  • Correlate authenticated user activity in SharePoint audit logs with subsequent anomalous page rendering events or client-side redirects.
  • Monitor for SharePoint accounts editing content outside their typical sites or list scopes.

Monitoring Recommendations

  • Forward SharePoint ULS logs, IIS access logs, and Windows security events to a centralized SIEM for correlation.
  • Alert on POST or PUT requests to SharePoint REST and SOAP endpoints containing reserved HTML characters in body parameters.
  • Track outbound DNS and HTTP requests from user workstations immediately following SharePoint page loads to identify script-driven beaconing.

How to Mitigate CVE-2026-47636

Immediate Actions Required

  • Apply the Microsoft security update referenced in the Microsoft CVE-2026-47636 Advisory to all affected SharePoint Server installations.
  • Audit existing SharePoint list items, pages, and web parts for stored HTML content in fields intended for plain text.
  • Review SharePoint user permissions and remove contributor-level access for accounts that do not require it.

Patch Information

Microsoft has issued security updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Administrators should consult the Microsoft CVE-2026-47636 Advisory for the specific KB numbers and download packages aligned to each supported version.

Workarounds

  • Restrict contributor and edit permissions on SharePoint sites to trusted users until patches are deployed.
  • Enforce a Content Security Policy on SharePoint front-end servers to limit inline script execution where feasible.
  • Educate users to avoid opening unexpected SharePoint links or pages shared by accounts outside their normal workflows.
bash
# Verify installed SharePoint patch level on the server
Get-SPProduct | Select-Object ProductName, PatchableUnitDisplayName, Patches

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne