CVE-2026-35439
Published: 12 May 2026
Summary
CVE-2026-35439 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Sharepoint Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2026-35439 is a deserialization of untrusted data flaw, tracked as CWE-502, that affects Microsoft Office SharePoint. It received a CVSS 3.1 base score of 8.8 reflecting network attack vector, low attack complexity, and low privileges required.
An authorized attacker can exploit the issue over a network to execute arbitrary code, resulting in high impact to confidentiality, integrity, and availability.
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35439 supplies official guidance and patches. The associated EPSS score has remained flat at 0.0195 with no material increase observed after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29637
Vulnerability details
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization flaw (CWE-502) directly enables remote code execution on network-accessible SharePoint server, matching T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted serialized data before deserialization, blocking the arbitrary code execution path in SharePoint.
Mandates timely application of the vendor patch supplied in the MSRC advisory to eliminate the deserialization flaw.
Requires integrity verification of software and information, enabling detection of unauthorized code introduced via the deserialization exploit.