Microsoft patched CVE-2026-55019 on July 14, 2026, closing a SharePoint Server cross-site scripting flaw that could let an authenticated attacker spoof content shown to another user. The vulnerability affects supported on-premises editions of SharePoint Server and requires administrators to install the July security updates rather than rely on a Microsoft 365 service-side fix.
Detailed in Microsoft’s Security Update Guide, CVE-2026-55019 carries an Important severity rating and a CVSS 3.1 base score of 4.6. Microsoft describes the underlying weakness as improper neutralization of input during web-page generation, categorized as CWE-79, or cross-site scripting.
The vulnerability is confirmed rather than speculative: its CVSS vector gives it a report-confidence value of “Confirmed.” That means Microsoft has acknowledged the defect and shipped corrections, although it does not mean attacks have been observed.
CVE-2026-55019 is network-accessible and has low attack complexity, but exploitation is constrained by two important requirements. An attacker must already possess low-level privileges, and a victim must interact with attacker-controlled content before the spoofing succeeds.
The complete CVSS vector is
In practical terms, the flaw is not expected to crash a SharePoint farm or provide immediate remote control of a server. It instead creates an opportunity for a logged-in attacker to inject content into a SharePoint-generated page and present that content to another user as though it came from the trusted SharePoint deployment.
That distinction matters in enterprise environments. Employees may treat pages hosted under an internal SharePoint domain as trusted, particularly when the site contains document libraries, workflow forms, intranet announcements, or links to Microsoft 365 resources. Spoofed content could therefore support credential theft, misleading prompts, malicious redirects, or other social-engineering activity, even though CVE-2026-55019 is not itself classified as remote code execution.
Microsoft’s scoring also marks the vulnerability’s scope as unchanged. Successful exploitation affects resources governed by the vulnerable SharePoint security authority rather than automatically crossing into another security boundary.
As of July 15, neither Microsoft’s assessment nor the July Patch Tuesday summary compiled by the SANS Internet Storm Center indicates known exploitation or public disclosure before the fix became available. Administrators should not confuse that status with proof that exploitation is impossible; it describes what was known when Microsoft published the advisory.
SharePoint Online is not listed as an affected product. The deployment work falls on organizations running SharePoint Server in their own environments, including farms hosted on local infrastructure or customer-managed cloud virtual machines.
The updates are cumulative packages containing fixes for numerous SharePoint and Office vulnerabilities, not narrowly scoped patches for CVE-2026-55019. Microsoft’s July package includes more serious SharePoint issues involving remote code execution, security-feature bypass, elevation of privilege, and information disclosure. That broader exposure makes the monthly update a higher priority than the 4.6 score attached to this individual spoofing flaw might suggest.
For SharePoint Server Subscription Edition, KB5002882 installs build 16.0.19725.20434 and replaces KB5002873. Microsoft says the package is available through Microsoft Update, the Microsoft Update Catalog, and the Download Center.
A farm should not be considered fully updated merely because the new binaries appear in Programs and Features. Administrators need to verify that all servers report the expected patch state and that the configuration database upgrade completed successfully.
Organizations using SharePoint Workflow Manager face an additional prerequisite. Microsoft instructs those customers to install SharePoint Workflow Manager update KB5002799 before applying the July SharePoint cumulative update.
Farms still using the Classic version of Workflow Manager require a server debug flag to continue operating. Microsoft’s KB5002882 guidance calls for adding debug flag
The Subscription Edition update also carries a known-issue instruction for administrators after running
KB5002882 simultaneously fixes a nonsecurity regression that prevented SharePoint 2010 workflows from starting after installation of the June 2026 update. Farms affected by that workflow problem therefore have an operational reason, as well as a security reason, to move to the July build.
The risk changes when SharePoint permits broad contributor access, accepts content from contractors or external collaborators, or hosts business processes that users follow without independently validating prompts. A compromised low-privilege account could provide the foothold needed to prepare malicious content, while the trusted intranet address supplies credibility.
Administrators should review contributor permissions and investigate unusual page modifications alongside deploying the update. Web application firewall rules or browser protections may reduce some cross-site scripting opportunities, but they are not substitutes for Microsoft’s corrected SharePoint builds.
Security monitoring should pay particular attention to unexpected script-bearing content, recently modified pages, unfamiliar redirects, and authentication prompts embedded in SharePoint sites. Those checks are especially relevant if a farm was internet-accessible or allowed content creation by a large population before the July updates were installed.
The immediate milestone is straightforward: bring SharePoint Server 2016 to at least 16.0.5561.1001, SharePoint Server 2019 to at least 16.0.10417.20175, and Subscription Edition to at least 16.0.19725.20434. For administrators, the real finish line is a successfully upgraded, health-checked farm—not simply an installed KB entry.
Detailed in Microsoft’s Security Update Guide, CVE-2026-55019 carries an Important severity rating and a CVSS 3.1 base score of 4.6. Microsoft describes the underlying weakness as improper neutralization of input during web-page generation, categorized as CWE-79, or cross-site scripting.
The vulnerability is confirmed rather than speculative: its CVSS vector gives it a report-confidence value of “Confirmed.” That means Microsoft has acknowledged the defect and shipped corrections, although it does not mean attacks have been observed.
A Low Score Still Leaves Room for Deception
CVE-2026-55019 is network-accessible and has low attack complexity, but exploitation is constrained by two important requirements. An attacker must already possess low-level privileges, and a victim must interact with attacker-controlled content before the spoofing succeeds.The complete CVSS vector is
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C. Microsoft assesses the potential confidentiality and integrity effects as low, with no direct availability impact.In practical terms, the flaw is not expected to crash a SharePoint farm or provide immediate remote control of a server. It instead creates an opportunity for a logged-in attacker to inject content into a SharePoint-generated page and present that content to another user as though it came from the trusted SharePoint deployment.
That distinction matters in enterprise environments. Employees may treat pages hosted under an internal SharePoint domain as trusted, particularly when the site contains document libraries, workflow forms, intranet announcements, or links to Microsoft 365 resources. Spoofed content could therefore support credential theft, misleading prompts, malicious redirects, or other social-engineering activity, even though CVE-2026-55019 is not itself classified as remote code execution.
Microsoft’s scoring also marks the vulnerability’s scope as unchanged. Successful exploitation affects resources governed by the vulnerable SharePoint security authority rather than automatically crossing into another security boundary.
As of July 15, neither Microsoft’s assessment nor the July Patch Tuesday summary compiled by the SANS Internet Storm Center indicates known exploitation or public disclosure before the fix became available. Administrators should not confuse that status with proof that exploitation is impossible; it describes what was known when Microsoft published the advisory.
Three On-Premises SharePoint Lines Need Updates
The CVE record identifies three affected product families and their corrected version thresholds:- Microsoft SharePoint Enterprise Server 2016 is affected before version 16.0.5561.1001.
- Microsoft SharePoint Server 2019 is affected before version 16.0.10417.20175.
- Microsoft SharePoint Server Subscription Edition is affected before version 16.0.19725.20434.
SharePoint Online is not listed as an affected product. The deployment work falls on organizations running SharePoint Server in their own environments, including farms hosted on local infrastructure or customer-managed cloud virtual machines.
The updates are cumulative packages containing fixes for numerous SharePoint and Office vulnerabilities, not narrowly scoped patches for CVE-2026-55019. Microsoft’s July package includes more serious SharePoint issues involving remote code execution, security-feature bypass, elevation of privilege, and information disclosure. That broader exposure makes the monthly update a higher priority than the 4.6 score attached to this individual spoofing flaw might suggest.
For SharePoint Server Subscription Edition, KB5002882 installs build 16.0.19725.20434 and replaces KB5002873. Microsoft says the package is available through Microsoft Update, the Microsoft Update Catalog, and the Download Center.
Installing the Binary Is Only Part of the Job
SharePoint servicing requires more care than approving a normal Windows cumulative update. Administrators should back up the farm, verify database and service health, install the applicable packages on every SharePoint server, and complete the required configuration upgrade using the SharePoint Products Configuration Wizard orPSConfig.A farm should not be considered fully updated merely because the new binaries appear in Programs and Features. Administrators need to verify that all servers report the expected patch state and that the configuration database upgrade completed successfully.
Organizations using SharePoint Workflow Manager face an additional prerequisite. Microsoft instructs those customers to install SharePoint Workflow Manager update KB5002799 before applying the July SharePoint cumulative update.
Farms still using the Classic version of Workflow Manager require a server debug flag to continue operating. Microsoft’s KB5002882 guidance calls for adding debug flag
53601 to the SharePoint farm and then running iisreset. That requirement should be included in the change plan rather than discovered after workflows stop processing.The Subscription Edition update also carries a known-issue instruction for administrators after running
PSConfig. Microsoft directs them to set DisableActorTokenAudienceValidation to $true, temporarily disabling a defense-in-depth validation that remains under development and may cause a regression. Microsoft says existing actor-token validation checks remain active, but security teams should document the setting so it can be reviewed when the company publishes revised guidance.KB5002882 simultaneously fixes a nonsecurity regression that prevented SharePoint 2010 workflows from starting after installation of the June 2026 update. Farms affected by that workflow problem therefore have an operational reason, as well as a security reason, to move to the July build.
Treat Spoofing as a Trust-Boundary Problem
CVE-2026-55019 does not carry the profile of an unauthenticated SharePoint takeover. Its need for an authorized account and user interaction limits direct exploitability, while its lack of availability impact keeps the CVSS score in the medium range.The risk changes when SharePoint permits broad contributor access, accepts content from contractors or external collaborators, or hosts business processes that users follow without independently validating prompts. A compromised low-privilege account could provide the foothold needed to prepare malicious content, while the trusted intranet address supplies credibility.
Administrators should review contributor permissions and investigate unusual page modifications alongside deploying the update. Web application firewall rules or browser protections may reduce some cross-site scripting opportunities, but they are not substitutes for Microsoft’s corrected SharePoint builds.
Security monitoring should pay particular attention to unexpected script-bearing content, recently modified pages, unfamiliar redirects, and authentication prompts embedded in SharePoint sites. Those checks are especially relevant if a farm was internet-accessible or allowed content creation by a large population before the July updates were installed.
The immediate milestone is straightforward: bring SharePoint Server 2016 to at least 16.0.5561.1001, SharePoint Server 2019 to at least 16.0.10417.20175, and Subscription Edition to at least 16.0.19725.20434. For administrators, the real finish line is a successfully upgraded, health-checked farm—not simply an installed KB entry.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for SharePoint Server 2019: June 9, 2026 (KB5002874) | Microsoft Support
Description of the security update for SharePoint Server 2019: June 9, 2026 (KB5002874)support.microsoft.com - Related coverage: caloes.ca.gov
</rdf:Alt> </dc:title> <dc:description> <rdf:Alt> <rdf:li xml:lang="x-default"/> </rdf:Alt> </dc:description> <dc:creator> <rdf:Seq> <rdf:li>(Contra
</rdf:Alt> </dc:description> <dc:creator> <rdf:Seq> <rdf:li>(Contractor) Melanie, Barlow@CalOESwww.caloes.ca.gov
- Related coverage: ncsc.gov.uk
- Related coverage: techradar.com
Microsoft 365 Copilot can be turned into a one-click data theft tool — inbox, OneDrive, and SharePoint data all at risk, so patch now | TechRadar
Varonis found a way to chain three bugs into one exploitwww.techradar.com - Related coverage: windowscentral.com
Microsoft issues emergency SharePoint patches for ToolShell | Windows Central
Microsoft has issued emergency patches for two zero-day vulnerabilities.www.windowscentral.com