CVE-2026-55030 SharePoint XSS Fixed in July 2026 Updates

Microsoft has fixed CVE-2026-55030, an authenticated cross-site scripting vulnerability affecting SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The flaw can let an attacker place deceptive content into a SharePoint page, but exploitation requires a valid account and user interaction.
Published in the Microsoft Security Response Center’s July 14, 2026 security release, CVE-2026-55030 carries a CVSS 3.1 score of 4.6. Microsoft nevertheless rates the vulnerability Important, making it part of the July SharePoint patch workload rather than an issue administrators should dismiss solely because of its medium numerical score.
The affected products and corrected build levels are:
  • SharePoint Enterprise Server 2016 installations earlier than build 16.0.5561.1001 are affected.
  • SharePoint Server 2019 installations earlier than build 16.0.10417.20175 are affected.
  • SharePoint Server Subscription Edition installations earlier than build 16.0.19725.20434 are affected.
Microsoft’s published assessment does not indicate that CVE-2026-55030 was publicly disclosed or exploited before the update became available. SANS Internet Storm Center also listed no known exploitation or prior public disclosure for the vulnerability when reviewing Microsoft’s July release.

Cybersecurity analyst monitors a SharePoint patch deployment, vulnerability alerts, and verification dashboards in a server room.An Authenticated Attacker Still Needs a Victim​

CVE-2026-55030 stems from improper neutralization of input while SharePoint generates a web page, the weakness class commonly known as cross-site scripting, or XSS. According to Microsoft’s CVE record, an authorized attacker could exploit the flaw over a network to perform spoofing.
The CVSS vector explains the practical limits of that attack. CVE-2026-55030 is network-accessible and has low attack complexity, but the attacker requires low-level privileges and must convince another user to interact with the affected content. Microsoft assesses the potential confidentiality and integrity effects as low, with no direct availability impact.
That makes this a different incident from an unauthenticated SharePoint remote-code execution flaw. CVE-2026-55030 does not, by itself, give an anonymous internet user control of a server, nor does its advisory describe code execution on the underlying Windows Server host.
The likely danger is inside the browser session. A malicious or compromised SharePoint account could submit content that SharePoint later renders without safely neutralizing it. When another user views or interacts with that content, the attacker may be able to make the page display information or behavior that appears to come from the trusted SharePoint site.
That distinction matters because SharePoint is frequently used for workflows in which visual trust carries authority. Employees may accept a document prompt, navigation element, approval request, or sign-in message because it appears under the organization’s familiar SharePoint hostname and branding.
The user-interaction requirement reduces the chance of fully automated exploitation, but it does not eliminate risk. An attacker who has obtained a basic account through phishing, password spraying, contractor access, or another compromised identity may already have the prerequisites needed to plant malicious content.

“Confirmed” Describes Evidence, Not Active Attacks​

Microsoft’s advisory marks the report-confidence metric as confirmed. That term can sound more urgent than it is if separated from the rest of the CVSS data.
Report confidence measures Microsoft’s confidence that the vulnerability exists and that its technical description is credible. A confirmed rating means sufficiently detailed evidence exists or Microsoft has verified the flaw. It does not mean attackers have been observed exploiting it.
Similarly, the presence of a complete CVSS vector provides defenders and potential attackers with information about the conditions surrounding exploitation, but it is not proof that working exploit code is circulating. As of the July 14 release, the public assessments reviewed by SANS and the Zero Day Initiative did not describe CVE-2026-55030 as a zero-day or an actively exploited vulnerability.
Administrators should therefore avoid both extremes: treating “confirmed” as evidence of an ongoing campaign, or treating the 4.6 score as a reason to leave the farm unpatched indefinitely. The CVE represents a verified security defect with an official fix and a plausible post-compromise use case.
The July release also contains numerous other SharePoint corrections, including remote-code execution, security-feature bypass, elevation-of-privilege, information-disclosure, and additional spoofing vulnerabilities. The Zero Day Initiative counted a cluster of SharePoint issues with stored-XSS characteristics and advised organizations not to let the spoofing classification lower the priority of the overall SharePoint update.
In other words, few farms will be installing the July package for CVE-2026-55030 alone. Its remediation arrives alongside fixes for considerably more severe SharePoint weaknesses, including CVE-2026-55040, a critical security-feature bypass rated 9.1, and critical remote-code execution vulnerabilities addressed in the same release cycle.

July’s SharePoint Packages Need Farm-Level Planning​

Microsoft lists three primary July security updates for the supported on-premises SharePoint branches: KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition. SharePoint 2016 and 2019 also have separate language-pack updates, KB5002892 and KB5002885 respectively.
For Subscription Edition, KB5002882 moves the security update package to build 16.0.19725.20434 and replaces KB5002873. Microsoft makes the package available through Microsoft Update, the Microsoft Update Catalog, and the Download Center.
SharePoint updates require more than placing a Windows Server cumulative update into a general deployment ring. Administrators must update every server in the farm as appropriate, complete SharePoint configuration processing, and verify that database and server upgrade states agree. A server that has received binaries but has not completed the configuration stage should not be assumed fully remediated.
Workflow dependencies also need attention. Microsoft says farms running SharePoint Workflow Manager must install Workflow Manager KB5002799 before applying the Subscription Edition cumulative update. Farms using the Classic version of Workflow Manager must enable Microsoft’s documented server debug flag and reset IIS to continue using that component.
KB5002882 includes another operational caveat after PSConfig. Microsoft instructs administrators to set DisableActorTokenAudienceValidation to true because a defense-in-depth validation feature under development can cause a regression. Microsoft says existing actor-token validation checks remain enabled, but the requirement still gives administrators an additional post-update configuration item to document and verify.
The package also fixes a nonsecurity regression that prevented SharePoint 2010 workflows from starting after installation of the June 2026 update. That correction may make the July release particularly relevant to organizations that encountered workflow failures during the previous servicing cycle.

Browser Trust Is Part of the SharePoint Security Boundary​

CVE-2026-55030 has no availability impact in Microsoft’s scoring, so exploitation is not expected to crash a farm or interrupt service directly. Its value to an attacker lies instead in manipulating what another user sees or what the browser executes in the context of the SharePoint site.
That can become more consequential when the victim has broader permissions than the attacker. Site owners, content approvers, records managers, and farm administrators routinely operate SharePoint through authenticated browser sessions. Malicious content delivered inside that trusted environment can support credential theft, misleading actions, or further compromise even when the original attacker holds only limited privileges.
Existing controls can reduce exposure while patches move through testing. Administrators should restrict who can create or edit content on sensitive sites, review unusual changes by low-privilege accounts, and investigate unexpected script-like content, embedded prompts, or redirects. Identity monitoring remains relevant because exploitation begins with an authorized SharePoint identity rather than an anonymous request.
Those controls are supplementary. Input-handling vulnerabilities are best corrected where the unsafe content is processed, and Microsoft has supplied that correction through the July packages.
The immediate task is to inventory on-premises SharePoint farms, map each one to KB5002891, KB5002883, or KB5002882, and confirm the resulting build rather than relying only on a successful installer message. CVE-2026-55030 is not currently an exploitation emergency, but it is part of a SharePoint release containing fixes that justify an accelerated, carefully validated deployment.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: caloes.ca.gov
  3. Related coverage: windowscentral.com
  4. Related coverage: techradar.com
  5. Related coverage: pcgamer.com
  6. Related coverage: tomshardware.com
 

Back
Top