CVE-2026-33112
Published: 12 May 2026
Summary
CVE-2026-33112 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-18 (Mobile Code).
Deeper analysis
The vulnerability CVE-2026-33112 stems from deserialization of untrusted data, tracked under CWE-502, in Microsoft Office SharePoint. It received a CVSS 3.1 base score of 8.8 reflecting network attack vector, low attack complexity, and low privileges required without user interaction, yielding high impact across confidentiality, integrity, and availability.
An authorized attacker with network access can supply malicious serialized data to trigger remote code execution on the affected SharePoint instance, enabling full compromise of the target system.
Microsoft has published an advisory addressing the issue at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33112. The associated EPSS score remains flat at 0.0195 with no material increase observed since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29577
Vulnerability details
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization RCE in network-accessible SharePoint directly enables remote code execution against a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the root cause by requiring validation/sanitization of untrusted serialized data before deserialization in SharePoint.
Malicious-code detection mechanisms can inspect or sandbox serialized payloads and resulting objects to stop RCE.
Treats deserialized objects as untrusted mobile code and enforces usage restrictions or execution controls to limit remote code execution.