CVE-2026-55021: Fix SharePoint XSS With July 2026 Updates

Microsoft has fixed CVE-2026-55021, an Important-rated SharePoint Server spoofing vulnerability that allows an authenticated attacker to inject malicious content into web pages and potentially compromise data viewed or submitted by another user. The flaw affects supported on-premises releases of SharePoint Server and was patched in Microsoft’s July 14, 2026 security updates.
Detailed in the Microsoft Security Response Center’s July Patch Tuesday advisory, CVE-2026-55021 is a cross-site scripting vulnerability caused by improper neutralization of input during web-page generation. An attacker needs a valid SharePoint account and user interaction, but exploitation can occur remotely over a network.
Administrators should install the July SharePoint security update that corresponds to their deployed version and complete the SharePoint farm upgrade process. Simply copying update files or patching one server does not finish maintenance for a multi-server farm.

A cybersecurity dashboard shows a patched SharePoint server farm protecting against spoofed content and script injection.Authenticated Access Still Leaves a Wide Attack Surface​

Microsoft describes CVE-2026-55021 as a spoofing vulnerability, while the underlying weakness is classified as CWE-79, or cross-site scripting. In practical terms, SharePoint does not safely neutralize certain attacker-controlled input before incorporating it into a generated page.
A successful attack could cause a trusted SharePoint site to present content supplied by the attacker. Depending on the affected page and the victim’s permissions, that content could misrepresent SharePoint data, redirect users, capture information entered into a fraudulent interface, or execute script within the site’s security context.
This is not an unauthenticated internet-to-server compromise. Microsoft’s CVSS vector specifies low privileges, meaning the attacker must already hold some level of authorized access to the SharePoint environment. The attack also requires a victim to interact with the crafted content.
Those requirements reduce the likelihood of indiscriminate exploitation, but they do not make the issue harmless. SharePoint farms frequently serve large employee populations, contractors, partner organizations, and departmental site owners. A compromised low-privilege account can therefore provide an attacker with both an entry point and a pool of higher-value users to target.
The distinction between server spoofing and ordinary phishing also matters. Users may be more willing to trust a page delivered from an organization’s legitimate SharePoint hostname, particularly when they reached it through an internal link or Microsoft 365 application. Security controls that rely largely on domain reputation can similarly struggle when the malicious content is presented through an approved business system.

Three On-Premises SharePoint Releases Need Updates​

The CVE record identifies Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition as affected. Microsoft’s published fixed-build thresholds are:
  • SharePoint Enterprise Server 2016 installations earlier than build 16.0.5561.1001 are affected.
  • SharePoint Server 2019 installations earlier than build 16.0.10417.20175 are affected.
  • SharePoint Server Subscription Edition installations earlier than build 16.0.19725.20434 are affected.
Microsoft’s July 2026 Office update index maps those products to KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition. Separate language-pack updates are also available as KB5002892 for SharePoint Server 2016 and KB5002885 for SharePoint Server 2019.
The affected-product list is limited to on-premises SharePoint Server. Microsoft does not identify SharePoint Online as vulnerable to CVE-2026-55021, and cloud tenants do not deploy these server packages themselves.
CVE-2026-55021 carries a CVSS 3.1 base score of 8.1. Its vector, AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, reflects a network-reachable attack with low complexity, required low-level privileges, and required user interaction. Microsoft rates the potential confidentiality and integrity effects as high, while assigning no direct availability impact.
The “confirmed” report-confidence component in Microsoft’s scoring data should not be confused with evidence of attacks. It means Microsoft has confirmed the vulnerability and the credibility of its technical assessment. It does not mean exploitation has been observed in production environments.
The CISA-provided SSVC data attached to the public CVE record listed exploitation as “none” on July 14. There was therefore no public indication at publication time that CVE-2026-55021 was being actively exploited, although that status can change after technical details and patches become widely available.

The July Cumulative Update Carries Operational Conditions​

For SharePoint Server Subscription Edition, KB5002882 installs build 16.0.19725.20434 and replaces KB5002873. Microsoft says the package addresses numerous SharePoint and Office vulnerabilities beyond CVE-2026-55021, including remote-code-execution, elevation-of-privilege, information-disclosure, and security-feature-bypass issues.
That broader coverage makes selective treatment of the spoofing flaw impractical. Administrators are deploying a cumulative SharePoint package rather than a narrow standalone correction, so the usual testing for farm customizations, web parts, authentication integrations, search, and workflows remains necessary.
Microsoft warns organizations using SharePoint Workflow Manager to install Workflow Manager update KB5002799 before applying the SharePoint cumulative update. Farms using the older Classic Workflow Manager also need Microsoft’s documented server debug flag to preserve workflow operation.
KB5002882 additionally fixes a regression that prevented SharePoint 2010 workflows from starting after installation of the June 2026 update. That fix may make July’s package particularly important for farms that delayed June’s update because of workflow failures.
The Subscription Edition update has a known post-installation step involving the DisableActorTokenAudienceValidation farm property. Microsoft says administrators should apply its documented PowerShell setting after running PSConfig because a defense-in-depth actor-token validation feature under development can cause a regression. The company says existing actor-token validation checks remain active, but administrators should document the setting so it can be reviewed when Microsoft revises its guidance.
These prerequisites reinforce why SharePoint servicing is more involved than a routine Windows cumulative update. Every server in the farm should receive the applicable binaries, and administrators must then run the SharePoint Products Configuration Wizard or PSConfig as appropriate to upgrade the farm’s databases and components.

Patch Verification Must Reach Beyond Windows Update​

A successful package installation in Windows Update history is not enough to confirm that a SharePoint farm is fully protected. Administrators should verify the installed build across every SharePoint server, confirm that the configuration database reports no pending upgrade work, and check Central Administration for servers requiring action.
Internet-facing farms deserve priority, but CVE-2026-55021 also presents a meaningful internal threat. An attacker who has obtained employee credentials through password reuse, token theft, phishing, or another compromised application could use an internal SharePoint site to target users with greater privileges.
Security teams should review recent SharePoint content changes and audit activity for unexpected pages, scripts, embedded frames, redirects, or modifications made by accounts that normally have limited publishing responsibilities. Web application firewall alerts and browser telemetry may help identify script injection attempts, though those controls are not substitutes for installing Microsoft’s update.
Organizations should also test pages created by custom solutions after patching. Cross-site scripting corrections often tighten input validation or output encoding, which can expose unsupported assumptions in legacy web parts and internally developed extensions. A broken customization should be repaired rather than used as justification for leaving the farm on a vulnerable build.
CVE-2026-55021 is not currently presented as an unauthenticated zero-day, but its network reach, low attack complexity, and potentially high confidentiality and integrity impact justify prompt deployment. For SharePoint administrators, the concrete finish line is a farm at build 16.0.5561.1001, 16.0.10417.20175, or 16.0.19725.20434 as applicable, with PSConfig completed and workflow prerequisites verified.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: techradar.com
  3. Related coverage: windowscentral.com
  4. Related coverage: tomsguide.com
  5. Related coverage: pcgamer.com
  6. Official source: support.microsoft.com
 

Back
Top