cve 2026 26105

CVE-2026-26105 is a high-severity spoofing vulnerability in on-premises Microsoft SharePoint Server, disclosed and patched in the March 2026 security update. The flaw, classified as cross-site scripting (CWE-79), allows an unauthenticated remote attacker to inject malicious content that can spoof trusted site elements. This could enable phishing attacks, credential theft, session hijacking, or content manipulation. Microsoft assigned a CVSS v3.1 base score of 8.1 (High) and released fixes for affected SharePoint Server builds. Administrators of on-premises SharePoint deployments should prioritize applying this patch to mitigate the risk of exploitation.