CVE-2026-55126: Patch SharePoint XSS With July KB5002891 Updates

CVE-2026-55126 exposes supported on-premises editions of Microsoft SharePoint Server to a cross-site scripting attack that can let an authenticated user spoof content and potentially capture sensitive information. Microsoft released fixes on July 14, 2026, for SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Detailed in Microsoft’s Security Update Guide, the vulnerability carries an Important severity rating and a CVSS 3.1 base score of 7.3. Microsoft and the Cybersecurity and Infrastructure Security Agency reported no known exploitation when the advisory was published, but administrators should not mistake the absence of observed attacks for a reason to leave an internet-facing SharePoint farm unpatched.
The required updates are KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition. Language-pack updates are also available separately for the 2016 and 2019 releases.

Illustration of a SharePoint portal under attack by injected scripts redirecting authenticated users to a phishing page.Authenticated Access Still Leaves a Broad Attack Surface​

Microsoft describes CVE-2026-55126 as improper neutralization of input during web-page generation, the weakness class commonly known as cross-site scripting or XSS. An authorized attacker can exploit the flaw over a network, although the victim must interact with the malicious content for exploitation to succeed.
The CVSS vector records a network-accessible, low-complexity attack requiring low privileges and user interaction. Availability is not directly affected, but Microsoft rates the potential confidentiality and integrity impacts as high. In practical terms, this is a browser-context attack rather than a direct route to crashing the farm or executing arbitrary code on the SharePoint host.
That distinction matters, but it does not make the issue harmless. SharePoint pages routinely carry an organization’s identity, trusted branding, document links, workflow prompts, and collaboration controls. Content injected into that trusted interface can be considerably more convincing than an ordinary phishing message arriving from outside the organization.
A successful attack could present altered or misleading content to another user, redirect them to an attacker-controlled destination, or run script in the security context associated with the affected SharePoint site. The exact outcome will depend on where the vulnerable input appears, the permissions held by the attacker, and what the targeted user can access.
The requirement for an authorized attacker narrows exposure compared with an unauthenticated vulnerability. It does not eliminate it. Contractors, partner accounts, compromised employee credentials, and users with access to broadly shared collaboration sites can all provide the low-privilege foothold reflected in Microsoft’s scoring.

Three SharePoint Generations Need Updates​

The affected versions and corrected build thresholds published in the CVE record are:
  • SharePoint Enterprise Server 2016 installations should be brought to build 16.0.5561.1001 or later.
  • SharePoint Server 2019 installations should be brought to build 16.0.10417.20175 or later.
  • SharePoint Server Subscription Edition installations should be brought to build 16.0.19725.20434 or later.
Microsoft bundles the CVE-2026-55126 fix into the July cumulative security updates rather than offering a narrowly scoped patch for the spoofing flaw alone. Those packages address numerous SharePoint and Office vulnerabilities, including information disclosure, remote-code execution, security-feature bypass, and elevation-of-privilege issues.
That wider bundle raises the value of the update, but it also means administrators should treat deployment as a full SharePoint maintenance operation. Updating only one server, skipping language-pack packages where they apply, or failing to complete the farm upgrade process can leave a deployment in an inconsistent state.
SharePoint security updates generally require administrators to install the applicable packages on every SharePoint server and then run the SharePoint Products Configuration Wizard or PSConfig to finish the database and farm upgrade work. A successful Windows Update or package installation is therefore not, by itself, sufficient evidence that the farm has completed its update.
Administrators should verify the resulting build number through Central Administration or PowerShell and confirm that all servers report the expected patch state. Load-balanced front ends, application servers, search systems, and disaster-recovery farms should all be included in the inventory.

Subscription Edition Carries Extra Deployment Instructions​

KB5002882, the July update for SharePoint Server Subscription Edition, has prerequisites and known issues that deserve attention before the change window begins. Microsoft says farms using SharePoint Workflow Manager must install Workflow Manager update KB5002799 before installing the SharePoint cumulative update.
Organizations still running the Classic version of Workflow Manager must enable Microsoft’s documented server debug flag and reset IIS to continue using it. This is not a step administrators should discover midway through production patching, particularly in farms supporting business-critical approval or document-processing workflows.
The update also fixes a regression introduced by the June 2026 update that prevented SharePoint 2010 workflows from starting. That nonsecurity correction may remove one obstacle for organizations that delayed the June package because of workflow disruption.
Microsoft additionally documents a post-PSConfig PowerShell change for Subscription Edition. Administrators are instructed to set DisableActorTokenAudienceValidation to true because a defense-in-depth validation feature under development can cause a regression. Microsoft says existing actor-token validation remains in place, but the instruction still creates an important configuration item that must be recorded and revisited when the company updates its guidance.
These operational details make lab validation particularly important for farms using Workflow Manager, custom authentication, provider-hosted add-ins, or integrations that depend on actor tokens. The security update should still move promptly, but a hurried installation without the documented prerequisites could trade a known vulnerability for an avoidable application outage.

Detection Status Does Not Lower the Need to Patch​

CISA’s initial Stakeholder-Specific Vulnerability Categorization data marked exploitation as “none,” automation as “no,” and technical impact as partial. The flaw was also absent from CISA’s Known Exploited Vulnerabilities catalog as of July 15, 2026, while the Zero Day Initiative listed it as neither publicly disclosed nor exploited.
That is a more favorable starting point than an actively exploited SharePoint zero-day. It suggests administrators can use a controlled emergency or accelerated patch process rather than immediately disconnecting every farm from the network.
However, the vulnerability’s underlying weakness and affected build information are now public. Attackers can compare corrected and vulnerable SharePoint binaries, probe exposed farms, and combine this flaw with credential theft or other SharePoint weaknesses. July’s cumulative packages also repair more severe SharePoint vulnerabilities, so delaying them based solely on the status of CVE-2026-55126 would ignore the risk presented by the rest of the update.
Internet-facing farms should receive priority, followed by systems accessible to large partner populations or lightly governed collaboration accounts. Administrators unable to patch immediately should reduce unnecessary external access, review memberships on broadly accessible sites, investigate unusual page modifications, and monitor requests involving unexpected script, encoded markup, or suspicious redirections.
Security teams should also review authentication and SharePoint audit records for low-privilege accounts creating or modifying content shortly before another user encounters unusual prompts or navigation. XSS exploitation can look like legitimate site activity until the browser renders the attacker-controlled payload, making content history and account behavior as important as conventional server malware alerts.
CVE-2026-55126 is not currently the most dangerous flaw in Microsoft’s July SharePoint package, but it is another reason to complete the entire cumulative update rather than cherry-pick risk assessments by CVE. The immediate milestone is concrete: deploy KB5002891, KB5002883, or KB5002882 as appropriate, finish the farm configuration upgrade, and verify that no supported SharePoint server remains below its corrected build.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: caloes.ca.gov
  3. Related coverage: techradar.com
  4. Related coverage: windowscentral.com
  5. Related coverage: pcgamer.com
  6. Related coverage: tomshardware.com
 

Back
Top