Cyber Resilience

CVE-2026-33110

HighRCE

Published: 12 May 2026

Published
12 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0197 77.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33110 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-33110 is a deserialization of untrusted data vulnerability, tracked under CWE-502, that affects Microsoft Office SharePoint. The flaw carries a CVSS 3.1 base score of 8.8 and permits an attacker to supply crafted serialized data that is processed without sufficient validation, leading to arbitrary code execution on the server.

An authorized user with network access can exploit the issue without user interaction or elevated privileges. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the targeted SharePoint instance, enabling remote code execution across the network.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33110 addresses the vulnerability and outlines available patches. The associated EPSS score has remained stable at 0.0195 with no material increase since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via deserialization on network-accessible SharePoint server maps to exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59237Same product: Microsoft Sharepoint Server
CVE-2025-49712Same product: Microsoft Sharepoint Server
CVE-2026-26114Same product: Microsoft Sharepoint Server
CVE-2026-33112Same product: Microsoft Sharepoint Server
CVE-2026-40368Same product: Microsoft Sharepoint Server
CVE-2025-53770Same product: Microsoft Sharepoint Server
CVE-2026-35439Same product: Microsoft Sharepoint Server
CVE-2026-45659Same product: Microsoft Sharepoint Server
CVE-2026-40357Same product: Microsoft Sharepoint Server
CVE-2025-54897Same product: Microsoft Sharepoint Server

Affected Assets

microsoft
sharepoint server
2016, 2019 · ≤ 16.0.19725.20280

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of all input (including serialized objects) before processing, directly blocking the untrusted data that triggers arbitrary code execution in SharePoint.

prevent

Enforces least privilege so an authorized user cannot reach the code paths or resources needed for successful RCE even if deserialization succeeds.

preventdetect

Verifies integrity of software and data, preventing or detecting unauthorized code introduced via malicious deserialization.

References