CVE-2026-20945 — Cross-site Scripting in Microsoft Sharepoint Enterprise Server 2016

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.6MEDIUMNVD

EPSS

0.1%

top 81.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Sharepoint Enterprise Server 2016 Microsoft Sharepoint Server 2019 Microsoft Sharepoint Server Subscription Edition

Timeline

PublishedApr 14

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages3 packages

▶CVEListV5microsoft/microsoft_sharepoint_server_201916.0.0 — 16.0.10417.20114

▶CVEListV5microsoft/microsoft_sharepoint_enterprise_server_201616.0.0 — 16.0.5548.1003

▶CVEListV5microsoft/microsoft_sharepoint_server_subscription_edition16.0.0 — 16.0.19725.20210

🔴Vulnerability Details

GHSA

GHSA-2c76-42fg-9f8g: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to p↗2026-04-14

▶

CVEList

Microsoft SharePoint Server Spoofing Vulnerability↗2026-04-14

▶