CVE-2026-55019: Install July Updates to Fix SharePoint XSS

Microsoft patched CVE-2026-55019 on July 14, 2026, closing a SharePoint Server cross-site scripting flaw that could let an authenticated attacker spoof content shown to another user. The vulnerability affects supported on-premises editions of SharePoint Server and requires administrators to install the July security updates rather than rely on a Microsoft 365 service-side fix.
Detailed in Microsoft’s Security Update Guide, CVE-2026-55019 carries an Important severity rating and a CVSS 3.1 base score of 4.6. Microsoft describes the underlying weakness as improper neutralization of input during web-page generation, categorized as CWE-79, or cross-site scripting.
The vulnerability is confirmed rather than speculative: its CVSS vector gives it a report-confidence value of “Confirmed.” That means Microsoft has acknowledged the defect and shipped corrections, although it does not mean attacks have been observed.

An IT administrator monitors a SharePoint server update while an injected script is detected and blocked.A Low Score Still Leaves Room for Deception​

CVE-2026-55019 is network-accessible and has low attack complexity, but exploitation is constrained by two important requirements. An attacker must already possess low-level privileges, and a victim must interact with attacker-controlled content before the spoofing succeeds.
The complete CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C. Microsoft assesses the potential confidentiality and integrity effects as low, with no direct availability impact.
In practical terms, the flaw is not expected to crash a SharePoint farm or provide immediate remote control of a server. It instead creates an opportunity for a logged-in attacker to inject content into a SharePoint-generated page and present that content to another user as though it came from the trusted SharePoint deployment.
That distinction matters in enterprise environments. Employees may treat pages hosted under an internal SharePoint domain as trusted, particularly when the site contains document libraries, workflow forms, intranet announcements, or links to Microsoft 365 resources. Spoofed content could therefore support credential theft, misleading prompts, malicious redirects, or other social-engineering activity, even though CVE-2026-55019 is not itself classified as remote code execution.
Microsoft’s scoring also marks the vulnerability’s scope as unchanged. Successful exploitation affects resources governed by the vulnerable SharePoint security authority rather than automatically crossing into another security boundary.
As of July 15, neither Microsoft’s assessment nor the July Patch Tuesday summary compiled by the SANS Internet Storm Center indicates known exploitation or public disclosure before the fix became available. Administrators should not confuse that status with proof that exploitation is impossible; it describes what was known when Microsoft published the advisory.

Three On-Premises SharePoint Lines Need Updates​

The CVE record identifies three affected product families and their corrected version thresholds:
  • Microsoft SharePoint Enterprise Server 2016 is affected before version 16.0.5561.1001.
  • Microsoft SharePoint Server 2019 is affected before version 16.0.10417.20175.
  • Microsoft SharePoint Server Subscription Edition is affected before version 16.0.19725.20434.
Microsoft’s July 2026 Office update index maps those releases to KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition. Language-pack updates are also available as KB5002892 for SharePoint Server 2016 and KB5002885 for SharePoint Server 2019.
SharePoint Online is not listed as an affected product. The deployment work falls on organizations running SharePoint Server in their own environments, including farms hosted on local infrastructure or customer-managed cloud virtual machines.
The updates are cumulative packages containing fixes for numerous SharePoint and Office vulnerabilities, not narrowly scoped patches for CVE-2026-55019. Microsoft’s July package includes more serious SharePoint issues involving remote code execution, security-feature bypass, elevation of privilege, and information disclosure. That broader exposure makes the monthly update a higher priority than the 4.6 score attached to this individual spoofing flaw might suggest.
For SharePoint Server Subscription Edition, KB5002882 installs build 16.0.19725.20434 and replaces KB5002873. Microsoft says the package is available through Microsoft Update, the Microsoft Update Catalog, and the Download Center.

Installing the Binary Is Only Part of the Job​

SharePoint servicing requires more care than approving a normal Windows cumulative update. Administrators should back up the farm, verify database and service health, install the applicable packages on every SharePoint server, and complete the required configuration upgrade using the SharePoint Products Configuration Wizard or PSConfig.
A farm should not be considered fully updated merely because the new binaries appear in Programs and Features. Administrators need to verify that all servers report the expected patch state and that the configuration database upgrade completed successfully.
Organizations using SharePoint Workflow Manager face an additional prerequisite. Microsoft instructs those customers to install SharePoint Workflow Manager update KB5002799 before applying the July SharePoint cumulative update.
Farms still using the Classic version of Workflow Manager require a server debug flag to continue operating. Microsoft’s KB5002882 guidance calls for adding debug flag 53601 to the SharePoint farm and then running iisreset. That requirement should be included in the change plan rather than discovered after workflows stop processing.
The Subscription Edition update also carries a known-issue instruction for administrators after running PSConfig. Microsoft directs them to set DisableActorTokenAudienceValidation to $true, temporarily disabling a defense-in-depth validation that remains under development and may cause a regression. Microsoft says existing actor-token validation checks remain active, but security teams should document the setting so it can be reviewed when the company publishes revised guidance.
KB5002882 simultaneously fixes a nonsecurity regression that prevented SharePoint 2010 workflows from starting after installation of the June 2026 update. Farms affected by that workflow problem therefore have an operational reason, as well as a security reason, to move to the July build.

Treat Spoofing as a Trust-Boundary Problem​

CVE-2026-55019 does not carry the profile of an unauthenticated SharePoint takeover. Its need for an authorized account and user interaction limits direct exploitability, while its lack of availability impact keeps the CVSS score in the medium range.
The risk changes when SharePoint permits broad contributor access, accepts content from contractors or external collaborators, or hosts business processes that users follow without independently validating prompts. A compromised low-privilege account could provide the foothold needed to prepare malicious content, while the trusted intranet address supplies credibility.
Administrators should review contributor permissions and investigate unusual page modifications alongside deploying the update. Web application firewall rules or browser protections may reduce some cross-site scripting opportunities, but they are not substitutes for Microsoft’s corrected SharePoint builds.
Security monitoring should pay particular attention to unexpected script-bearing content, recently modified pages, unfamiliar redirects, and authentication prompts embedded in SharePoint sites. Those checks are especially relevant if a farm was internet-accessible or allowed content creation by a large population before the July updates were installed.
The immediate milestone is straightforward: bring SharePoint Server 2016 to at least 16.0.5561.1001, SharePoint Server 2019 to at least 16.0.10417.20175, and Subscription Edition to at least 16.0.19725.20434. For administrators, the real finish line is a successfully upgraded, health-checked farm—not simply an installed KB entry.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: caloes.ca.gov
  4. Related coverage: ncsc.gov.uk
  5. Related coverage: techradar.com
  6. Related coverage: windowscentral.com
 

Back
Top