CVE-2026-26105

High

Published: 10 March 2026

Published

10 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0004 12.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26105 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific XSS flaw in SharePoint via patching to prevent unauthorized script injection and spoofing.

SI-15 Information Output Filtering good match

prevent

Filters information output during web page generation to neutralize untrusted input and block XSS payload execution in user browsers.

SI-10 Information Input Validation partial match

prevent

Validates inputs to SharePoint web interfaces to reject or sanitize malicious payloads before they are processed into web pages.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1056.003 Web Portal Capture Collection

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.

attack.mitre.org →

Why these techniques?

XSS in public-facing SharePoint directly enables T1190 exploitation; injected scripts facilitate T1185 browser session hijacking, T1539 web session cookie theft, and T1056.003 web portal input capture for credential/data theft.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

Deeper analysisAI

CVE-2026-26105 is a cross-site scripting (XSS) vulnerability, classified under CWE-79 for improper neutralization of input during web page generation, affecting Microsoft Office SharePoint. Published on March 10, 2026, it enables an unauthorized attacker to perform spoofing attacks over a network. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), reflecting its high severity due to network accessibility, low attack complexity, lack of required privileges, and potential for significant confidentiality and integrity impacts without affecting availability.

The attack requires user interaction, allowing an unauthorized remote attacker to exploit it by delivering malicious payloads through SharePoint-generated web pages. A victim user, such as an authenticated SharePoint user, must perform an action like clicking a link or viewing crafted content, enabling the injected script to execute in their browser context. This can result in spoofing, such as impersonating legitimate interfaces to steal session cookies, credentials, or sensitive data, or to manipulate page content for further phishing or data exfiltration.

Microsoft's Security Update Guide provides details on the vulnerability, including patch information and mitigation recommendations, at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26105. Security practitioners should review this advisory promptly to deploy updates and apply any interim workarounds to protect SharePoint environments.

Details

CWE(s): CWE-79

Affected Products

microsoft

sharepoint server

2016, 2019 · ≤ 16.0.19725.20076

CVEs Like This One

CVE-2025-53770Same product: Microsoft Sharepoint Server

CVE-2026-26106Same product: Microsoft Sharepoint Server

CVE-2025-54897Same product: Microsoft Sharepoint Server

CVE-2025-49712Same product: Microsoft Sharepoint Server

CVE-2026-20963Same product: Microsoft Sharepoint Server

CVE-2025-49701Same product: Microsoft Sharepoint Server

CVE-2025-49704Same product: Microsoft Sharepoint Server

CVE-2025-59228Same product: Microsoft Sharepoint Server

CVE-2026-32201Same product: Microsoft Sharepoint Server

CVE-2025-21348Same product: Microsoft Sharepoint Server

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26105
Vendor Advisory · secure@microsoft.com