CVE-2025-49704: Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

high8.8CVSS 3.1

AVNACLPRLUINSUCHIHAH

KEVEXPLOIT

CISA Known Exploited Vulnerabilitydue 2025-07-23

Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Affected

7 ranges

Vendor	Product	Version range	Fixed in
microsoft	microsoft_sharepoint_enterprise_server_2016	>= 16.0.0 < 16.0.5508.1000	16.0.5508.1000
microsoft	microsoft_sharepoint_server_2019	>= 16.0.0 < 16.0.10417.20027	16.0.10417.20027
microsoft	sharepoint_server	—	—
microsoft	sharepoint_server	—	—
msrc	microsoft_sharepoint_enterprise_server_2016	—	—
msrc	microsoft_sharepoint_server_2019	—	—
msrc	microsoft_sharepoint_server_subscription_edition	—	—

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

vulncheck8.8HIGH

cisa8.8HIGH