CVE-2026-33110
Published: 12 May 2026
Summary
CVE-2026-33110 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-33110 is a deserialization of untrusted data vulnerability, tracked under CWE-502, that affects Microsoft Office SharePoint. The flaw carries a CVSS 3.1 base score of 8.8 and permits an attacker to supply crafted serialized data that is processed without sufficient validation, leading to arbitrary code execution on the server.
An authorized user with network access can exploit the issue without user interaction or elevated privileges. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the targeted SharePoint instance, enabling remote code execution across the network.
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33110 addresses the vulnerability and outlines available patches. The associated EPSS score has remained stable at 0.0195 with no material increase since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29576
Vulnerability details
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via deserialization on network-accessible SharePoint server maps to exploitation of public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of all input (including serialized objects) before processing, directly blocking the untrusted data that triggers arbitrary code execution in SharePoint.
Enforces least privilege so an authorized user cannot reach the code paths or resources needed for successful RCE even if deserialization succeeds.
Verifies integrity of software and data, preventing or detecting unauthorized code introduced via malicious deserialization.