HIGHCVE-2026-20947Published 2026-01-13Modified 2026-04-01CNA microsoft

CVE-2026-20947: Microsoft SharePoint Server Remote Code Execution Vulnerability

Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 16.0.5535.1001
Affected Products: 3

Fix available

16.0.5535.100116.0.10417.2008316.0.19127.20442

Patch commits

Microsoft SharePoint Server Remote Code Execution Vulnerability

Affected packages

Microsoft / Microsoft SharePoint Enterprise Server 2016
< 16.0.5535.1001 (from 16.0.0)
Microsoft / Microsoft SharePoint Server 2019
< 16.0.10417.20083 (from 16.0.0)
Microsoft / Microsoft SharePoint Server Subscription Edition
< 16.0.19127.20442 (from 16.0.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

References

Microsoft SharePoint Server Remote Code Execution Vulnerability

Metrics

Fix available