HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47294Published Modified CNA microsoft

CVE-2026-47294: Microsoft SharePoint Server Remote Code Execution Vulnerability

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Metrics

CVSS v3.1
8.0
Severity
HIGH
Fixed in
16.0.5552.1002
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Deserialization of untrusted data in Microsoft SharePoint Server allows an authenticated attacker to execute arbitrary code remotely. The vulnerability is reachable over the network, requires a low-privilege account, and requires the targeted user to take some action (such as opening a malicious link or document). Successful exploitation gives the attacker full control over the affected server process, including reading, modifying, or destroying data. Patched-image rebuilds at versions 16.0.5552.1002, 16.0.10417.20128, and 16.0.19725.20280 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-47294 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle SharePoint components. Matching runs against both registry scans and CI/CD pipeline builds, covering all three affected product lines.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.0 (HIGH) and weighting it further against each environment's compliance policy to determine urgency. Routed findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Patched-image rebuilds at the fix versions (16.0.5552.1002 for SharePoint 2016, 16.0.10417.20128 for SharePoint 2019, and 16.0.19725.20280 for Subscription Edition) become available on HarborGuard once upstream packages are published. For customers who opt into auto-remediation, HarborGuard performs a rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the SharePoint service over the network; the vulnerable component is exposed via standard network access.

  • AuthenticationRequired

    Any low-privilege SharePoint account is sufficient; no administrative or elevated permissions are needed.

  • Victim interactionRequired

    A user on the target system must perform an action, such as visiting a crafted page or opening a malicious file, for the exploit to trigger.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

  • The attacker executes arbitrary code in the context of the SharePoint server process, gaining full control of that process.
  • Confidential data stored in SharePoint, including documents, list data, and cached credentials, can be read directly.
  • The attacker can modify or delete SharePoint content, site configurations, and persisted application data.
  • The SharePoint service can be crashed or rendered unavailable, disrupting access for all users of that instance.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47294 runs against all scanned images within minutes of CVE publication, covering SharePoint 2016, SharePoint 2019, and Subscription Edition across all three fix-version thresholds. Where compliance policy permits, patched-image rebuilds at the respective fix versions become available automatically. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the applicable fix version, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Given that exploitation requires victim interaction, teams should also consider reviewing SharePoint site permissions to limit the number of low-privilege accounts that can send or post content, and apply network-policy controls to restrict inbound access to SharePoint endpoints where feasible until patched images are confirmed deployed.

See how HarborGuard automates this

Fix available

16.0.5552.100216.0.10417.2012816.0.19725.20280
Patch commits
Affected packages
  • Microsoft / Microsoft SharePoint Enterprise Server 2016
    < 16.0.5552.1002 (from 16.0.0)
  • Microsoft / Microsoft SharePoint Server 2019
    < 16.0.10417.20128 (from 16.0.0)
  • Microsoft / Microsoft SharePoint Server Subscription Edition
    < 16.0.19725.20280 (from 16.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References