CVE-2026-20963: Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

KEV

CISA Known Exploited Vulnerabilitydue 2026-03-21

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.

9 ranges

Vendor	Product	Version range	Fixed in
microsoft	microsoft_sharepoint_enterprise_server_2016	>= 16.0.0 < 16.0.5535.1001	16.0.5535.1001
microsoft	microsoft_sharepoint_server_2019	>= 16.0.0 < 16.0.10417.20083	16.0.10417.20083
microsoft	microsoft_sharepoint_server_subscription_edition	>= 16.0.0 < 16.0.19127.20442	16.0.19127.20442
microsoft	sharepoint_server	< 16.0.19127.20442	16.0.19127.20442
microsoft	sharepoint_server	—	—
microsoft	sharepoint_server	—	—
msrc	microsoft_sharepoint_enterprise_server_2016	—	—
msrc	microsoft_sharepoint_server_2019	—	—
msrc	microsoft_sharepoint_server_subscription_edition	—	—

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vulncheck9.8CRITICAL

cisa9.8CRITICAL