CVE-2026-47634: Microsoft SharePoint Server Spoofing Vulnerability

Synopsis

A stored or reflected cross-site scripting (XSS) vulnerability exists in Microsoft SharePoint Server where user-supplied input is not properly sanitized before being rendered in web pages. The vulnerability is reachable over the network and requires a low-privilege authenticated account plus a victim clicking or visiting a crafted link or page. Successful exploitation allows an attacker to read sensitive data from the victim's browser session and tamper with page content, effectively impersonating the SharePoint interface to the victim. Patched-image rebuilds at versions 16.0.10417.20153 and 16.0.19725.20384 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker must reach the SharePoint Server over the network; the service must be exposed to the attacker's network segment or the internet.

• AuthenticationRequired

  A low-privilege authenticated account is sufficient; anonymous access alone is not enough to trigger the vulnerability.

• Victim interactionRequired

  A targeted user must interact with a crafted link or page, making this a social-engineering-dependent exploit.

• Attack complexityDetail

  Exploit conditions are straightforward and require no race conditions or special environmental factors; the attack is reliable once the victim interacts.

Blast Radius

• The attacker can read the victim's active SharePoint session tokens and any sensitive data rendered in the browser at the time of exploitation.
• The attacker can inject and execute arbitrary scripts in the victim's browser, modifying displayed SharePoint page content to impersonate legitimate UI elements.
• The attacker can perform actions on SharePoint on behalf of the victim, such as modifying or exfiltrating documents and list items the victim has access to.