CVE-2026-55016 exposes supported on-premises Microsoft SharePoint Server farms to a cross-site scripting flaw that can let an authenticated attacker place deceptive content in a page viewed by another user. Microsoft released fixes on July 14, 2026, covering SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Detailed in Microsoft’s Security Update Guide and newly published CVE record, the vulnerability stems from improper neutralization of input during web-page generation. Microsoft classifies the resulting impact as spoofing, while the underlying weakness is CWE-79, the standard designation for cross-site scripting, or XSS.
The flaw carries a CVSS 3.1 base score of 4.6, placing it in the Medium severity range. That score should not be read as permission to defer the update indefinitely: SharePoint pages often operate inside trusted corporate environments, where convincing content displayed under an organization’s own SharePoint address can carry more credibility than an ordinary phishing site.
Microsoft’s CVSS vector is AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. In practical terms, exploitation can occur over the network, requires low privileges, has low attack complexity, and depends on another user interacting with the malicious content.
The attacker must already be authorized to use the affected SharePoint environment. That limits exposure compared with an unauthenticated internet-facing vulnerability, but it does not eliminate realistic attack paths. A compromised employee account, contractor login, malicious insider, or attacker who has gained basic access through password spraying or phishing could potentially supply the required privileges.
The victim must then open or interact with affected SharePoint content. Because the vulnerability involves input that is not safely neutralized when generating a page, attacker-controlled material may be treated as active web content rather than inert text.
Successful exploitation can produce limited confidentiality and integrity impact, according to Microsoft’s scoring, but it does not directly affect availability. The CVSS scope remains unchanged, meaning Microsoft does not describe the attack as crossing into a separate security authority or independently compromising the underlying SharePoint server.
That distinction matters. CVE-2026-55016 is not described as remote code execution, an authentication bypass, or a route to taking control of the Windows Server host. It is a browser-facing flaw capable of making content inside SharePoint appear or behave in a way that users and administrators did not intend.
A crafted page could potentially imitate an internal notification, login prompt, document workflow, administrative warning, or navigation element. The exact exploit surface and payload constraints have not been publicly documented, so administrators should avoid assuming that every classic XSS technique is possible. Microsoft’s published vector nevertheless confirms that user interaction is part of the attack and that both information exposure and unauthorized modification are considered plausible outcomes.
The authentication requirement also changes the most likely threat model. An external attacker cannot exploit CVE-2026-55016 solely by sending arbitrary traffic to a vulnerable farm, based on the available advisory. The more credible scenario begins after an account with basic SharePoint permissions has been obtained or misused.
This gives identity monitoring an important supporting role. Security teams should investigate unexpected page edits, unfamiliar scripts or markup, unusual content creation by low-privilege accounts, and SharePoint activity from newly observed devices or locations. Those controls can reduce risk, but they are not replacements for correcting the input-handling flaw.
Microsoft’s published affected-product list does not include SharePoint Online. Organizations using Microsoft-hosted SharePoint through Microsoft 365 therefore should not treat this advisory as an instruction to patch the cloud service themselves; the deployment work applies to supported SharePoint Server installations managed by customers.
For SharePoint Server Subscription Edition, the July package is KB5002882 and installs build 16.0.19725.20434. It is a cumulative security update addressing CVE-2026-55016 alongside numerous other SharePoint and Office vulnerabilities, including separate remote-code-execution, security-feature-bypass, information-disclosure, and elevation-of-privilege issues.
That broader patch content is significant for risk triage. An administrator may decide that CVE-2026-55016 alone is not the month’s highest-priority SharePoint issue, but the same July maintenance cycle closes substantially more serious vulnerabilities. Farms should be assessed against the complete update package rather than evaluating this spoofing flaw in isolation.
Farms still using the Classic version of Workflow Manager require an additional server debug flag to continue operating. Microsoft provides a SharePoint Management Shell sequence that adds flag 53601, updates the farm configuration, and resets IIS. Administrators should validate that prerequisite in a staging environment because workflow disruption can affect business processes even when SharePoint sites themselves remain available.
KB5002882 also fixes an issue that prevented SharePoint 2010 workflows from starting after installation of the June 2026 update. That correction may make the July build particularly relevant to farms that delayed last month’s update because of workflow failures.
Microsoft documents another post-installation step for Subscription Edition. After running the SharePoint Products Configuration Wizard or PSConfig, administrators are instructed to set
This is precisely the type of operational detail that can be missed when a SharePoint patch is deployed through a generic Windows maintenance procedure. Updating binaries without running PSConfig across the farm can leave SharePoint in an incomplete state, while overlooking prerequisites or documented PowerShell changes can create application regressions.
Testing should include page creation and editing, search, authentication, custom web parts, forms, workflow initiation, and any internally developed solutions that process user-supplied content. Customizations deserve particular attention because XSS fixes can tighten input handling or output encoding in ways that expose assumptions made by older SharePoint extensions.
There is no public evidence in the available CVE record that CVE-2026-55016 was being actively exploited when Microsoft published it on July 14. The absence of documented exploitation lowers the immediate alarm level, but it does not change the fixed-build boundary.
For defenders, the practical target is unambiguous: SharePoint 2016 farms should reach 16.0.5561.1001, SharePoint 2019 should reach 16.0.10417.20175, and Subscription Edition should reach 16.0.19725.20434. Any supported on-premises farm below those builds remains within Microsoft’s affected range.
Detailed in Microsoft’s Security Update Guide and newly published CVE record, the vulnerability stems from improper neutralization of input during web-page generation. Microsoft classifies the resulting impact as spoofing, while the underlying weakness is CWE-79, the standard designation for cross-site scripting, or XSS.
The flaw carries a CVSS 3.1 base score of 4.6, placing it in the Medium severity range. That score should not be read as permission to defer the update indefinitely: SharePoint pages often operate inside trusted corporate environments, where convincing content displayed under an organization’s own SharePoint address can carry more credibility than an ordinary phishing site.
The Attack Requires Two Users, Not Server Takeover
Microsoft’s CVSS vector is AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. In practical terms, exploitation can occur over the network, requires low privileges, has low attack complexity, and depends on another user interacting with the malicious content.The attacker must already be authorized to use the affected SharePoint environment. That limits exposure compared with an unauthenticated internet-facing vulnerability, but it does not eliminate realistic attack paths. A compromised employee account, contractor login, malicious insider, or attacker who has gained basic access through password spraying or phishing could potentially supply the required privileges.
The victim must then open or interact with affected SharePoint content. Because the vulnerability involves input that is not safely neutralized when generating a page, attacker-controlled material may be treated as active web content rather than inert text.
Successful exploitation can produce limited confidentiality and integrity impact, according to Microsoft’s scoring, but it does not directly affect availability. The CVSS scope remains unchanged, meaning Microsoft does not describe the attack as crossing into a separate security authority or independently compromising the underlying SharePoint server.
That distinction matters. CVE-2026-55016 is not described as remote code execution, an authentication bypass, or a route to taking control of the Windows Server host. It is a browser-facing flaw capable of making content inside SharePoint appear or behave in a way that users and administrators did not intend.
Trusted SharePoint Pages Make Spoofing More Convincing
The “spoofing” label can sound less concrete than XSS, particularly in an enterprise patch queue dominated by privilege-escalation and remote-code-execution bugs. Here, it describes the security consequence of presenting attacker-controlled content through a legitimate SharePoint application and its trusted origin.A crafted page could potentially imitate an internal notification, login prompt, document workflow, administrative warning, or navigation element. The exact exploit surface and payload constraints have not been publicly documented, so administrators should avoid assuming that every classic XSS technique is possible. Microsoft’s published vector nevertheless confirms that user interaction is part of the attack and that both information exposure and unauthorized modification are considered plausible outcomes.
The authentication requirement also changes the most likely threat model. An external attacker cannot exploit CVE-2026-55016 solely by sending arbitrary traffic to a vulnerable farm, based on the available advisory. The more credible scenario begins after an account with basic SharePoint permissions has been obtained or misused.
This gives identity monitoring an important supporting role. Security teams should investigate unexpected page edits, unfamiliar scripts or markup, unusual content creation by low-privilege accounts, and SharePoint activity from newly observed devices or locations. Those controls can reduce risk, but they are not replacements for correcting the input-handling flaw.
Three SharePoint Releases Need the July Builds
The National Vulnerability Database’s Microsoft-supplied affected-product data identifies three on-premises SharePoint branches and the first builds that contain the fix:| SharePoint release | Versions requiring attention | Fixed build |
|---|---|---|
| SharePoint Enterprise Server 2016 | Builds earlier than 16.0.5561.1001 | 16.0.5561.1001 |
| SharePoint Server 2019 | Builds earlier than 16.0.10417.20175 | 16.0.10417.20175 |
| SharePoint Server Subscription Edition | Builds earlier than 16.0.19725.20434 | 16.0.19725.20434 |
For SharePoint Server Subscription Edition, the July package is KB5002882 and installs build 16.0.19725.20434. It is a cumulative security update addressing CVE-2026-55016 alongside numerous other SharePoint and Office vulnerabilities, including separate remote-code-execution, security-feature-bypass, information-disclosure, and elevation-of-privilege issues.
That broader patch content is significant for risk triage. An administrator may decide that CVE-2026-55016 alone is not the month’s highest-priority SharePoint issue, but the same July maintenance cycle closes substantially more serious vulnerabilities. Farms should be assessed against the complete update package rather than evaluating this spoofing flaw in isolation.
Workflow Manager Adds a Deployment Check
The July update is not merely a matter of launching an installer and declaring the farm complete. Microsoft warns SharePoint Server Subscription Edition customers running SharePoint Workflow Manager to install Workflow Manager update KB5002799 before applying the cumulative update.Farms still using the Classic version of Workflow Manager require an additional server debug flag to continue operating. Microsoft provides a SharePoint Management Shell sequence that adds flag 53601, updates the farm configuration, and resets IIS. Administrators should validate that prerequisite in a staging environment because workflow disruption can affect business processes even when SharePoint sites themselves remain available.
KB5002882 also fixes an issue that prevented SharePoint 2010 workflows from starting after installation of the June 2026 update. That correction may make the July build particularly relevant to farms that delayed last month’s update because of workflow failures.
Microsoft documents another post-installation step for Subscription Edition. After running the SharePoint Products Configuration Wizard or PSConfig, administrators are instructed to set
DisableActorTokenAudienceValidation to true. Microsoft says this disables a defense-in-depth validation feature under development that can cause a regression, while leaving existing actor-token validation checks in place.This is precisely the type of operational detail that can be missed when a SharePoint patch is deployed through a generic Windows maintenance procedure. Updating binaries without running PSConfig across the farm can leave SharePoint in an incomplete state, while overlooking prerequisites or documented PowerShell changes can create application regressions.
Patch the Farm, Then Verify the Build
Administrators should inventory every server role in the farm, confirm the installed SharePoint build, review Workflow Manager dependencies, and back up the farm configuration and relevant databases before deployment. The security update must be installed consistently across the farm, followed by the required SharePoint configuration process and service validation.Testing should include page creation and editing, search, authentication, custom web parts, forms, workflow initiation, and any internally developed solutions that process user-supplied content. Customizations deserve particular attention because XSS fixes can tighten input handling or output encoding in ways that expose assumptions made by older SharePoint extensions.
There is no public evidence in the available CVE record that CVE-2026-55016 was being actively exploited when Microsoft published it on July 14. The absence of documented exploitation lowers the immediate alarm level, but it does not change the fixed-build boundary.
For defenders, the practical target is unambiguous: SharePoint 2016 farms should reach 16.0.5561.1001, SharePoint 2019 should reach 16.0.10417.20175, and Subscription Edition should reach 16.0.19725.20434. Any supported on-premises farm below those builds remains within Microsoft’s affected range.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: techradar.com
Microsoft 365 Copilot can be turned into a one-click data theft tool — inbox, OneDrive, and SharePoint data all at risk, so patch now | TechRadar
Varonis found a way to chain three bugs into one exploitwww.techradar.com - Related coverage: windowscentral.com
Microsoft issues emergency SharePoint patches for ToolShell | Windows Central
Microsoft has issued emergency patches for two zero-day vulnerabilities.www.windowscentral.com - Related coverage: tomsguide.com
Microsoft releases emergency security updates to fix SharePoint zero-day flaws — everything you need to know | Tom's Guide
Two zero-day flaws have been patched to fix actively exploited vulnerabilities in SharePoint.www.tomsguide.com - Related coverage: pcgamer.com
Microsoft confirms SharePoint vulnerabilities have been exploited by suspected Chinese hackers, as reports indicate the US Nuclear Security Administration may have been among those compromised | PC Gamer
'Investigations into other actors also using these exploits are still ongoing.'www.pcgamer.com - Related coverage: blog.stefan-gossner.com
July 2026 CU for SharePoint Server Subscription Edition is available for download – Stefan Goßner
Important: If your current farm patch level is September 2025 CU, execute the following PowerShell script to correct the folder permissions on the relevant folders otherwise installing the SharePoint fixes will fail: Fix-SeptemberCU-Permission-Problem.ps1 Alternatively you can also remove the NT...blog.stefan-gossner.com