Cyber Resilience

CVE-2026-26105

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0126 65.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26105 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26105 is a cross-site scripting (XSS) vulnerability, classified under CWE-79 for improper neutralization of input during web page generation, affecting Microsoft Office SharePoint. Published on March 10, 2026, it enables an unauthorized attacker to perform spoofing attacks over a network. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), reflecting its high severity due to network accessibility, low attack complexity, lack of required privileges, and potential for significant confidentiality and integrity impacts without affecting availability.

The attack requires user interaction, allowing an unauthorized remote attacker to exploit it by delivering malicious payloads through SharePoint-generated web pages. A victim user, such as an authenticated SharePoint user, must perform an action like clicking a link or viewing crafted content, enabling the injected script to execute in their browser context. This can result in spoofing, such as impersonating legitimate interfaces to steal session cookies, credentials, or sensitive data, or to manipulate page content for further phishing or data exfiltration.

Microsoft's Security Update Guide provides details on the vulnerability, including patch information and mitigation recommendations, at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26105. Security practitioners should review this advisory promptly to deploy updates and apply any interim workarounds to protect SharePoint environments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1056.003 Web Portal Capture Collection
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.
Why these techniques?

XSS in public-facing SharePoint directly enables T1190 exploitation; injected scripts facilitate T1185 browser session hijacking, T1539 web session cookie theft, and T1056.003 web portal input capture for credential/data theft.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59237Same product: Microsoft Sharepoint Server
CVE-2025-49712Same product: Microsoft Sharepoint Server
CVE-2026-26114Same product: Microsoft Sharepoint Server
CVE-2026-20947Same product: Microsoft Sharepoint Server
CVE-2026-33112Same product: Microsoft Sharepoint Server
CVE-2025-21348Same product: Microsoft Sharepoint Server
CVE-2026-40368Same product: Microsoft Sharepoint Server
CVE-2025-49701Same product: Microsoft Sharepoint Server
CVE-2025-53770Same product: Microsoft Sharepoint Server
CVE-2025-49704Same product: Microsoft Sharepoint Server

Affected Assets

microsoft
sharepoint server
2016, 2019 · ≤ 16.0.19725.20076

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific XSS flaw in SharePoint via patching to prevent unauthorized script injection and spoofing.

prevent

Filters information output during web page generation to neutralize untrusted input and block XSS payload execution in user browsers.

prevent

Validates inputs to SharePoint web interfaces to reject or sanitize malicious payloads before they are processed into web pages.

References