CVE-2026-55135 affects Microsoft SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, allowing an authenticated attacker to inject script content that can be used to spoof information presented to another user. Microsoft fixed the flaw in its July 14, 2026 security updates, making those cumulative packages the immediate deployment target for on-premises SharePoint administrators.
Detailed in Microsoft’s Security Update Guide and July Office update documentation, the vulnerability is classified as a cross-site scripting weakness under CWE-79. Microsoft assigned it a CVSS 3.1 base score of 4.6, placing it in the Medium severity band, but that number should not be mistaken for permission to leave an internet-facing or broadly accessible SharePoint farm unpatched.
The affected versions and minimum corrected builds are:
CVE-2026-55135 originates in improper neutralization of input during web-page generation. In practical terms, SharePoint fails to sanitize some attacker-controlled content correctly, creating an opening for script execution when that content is rendered for another user.
The CVSS vector is
That combination explains the 4.6 score. An anonymous attacker cannot simply send a request to an exposed server and immediately take control of the SharePoint farm. The attacker first needs an authorized account capable of submitting the relevant content, and a targeted user must then view or otherwise interact with it.
For enterprise SharePoint, however, authorized is a broad category. Farms routinely permit employees, contractors, project members and external collaborators to create pages, edit lists, upload documents, post comments or contribute to team sites. A compromised low-privilege account may therefore satisfy the prerequisite without giving the attacker administrative access.
The user-interaction requirement also fits naturally into normal SharePoint behavior. A link to a project page, a request to review a document or a notification from an existing team site may not look suspicious, particularly when it originates inside an authenticated environment. The security boundary at issue is not merely whether an outsider can reach SharePoint, but whether content created by one user can be trusted when displayed to another.
Cross-site scripting can still attack the credibility of the service in the victim’s browser. Malicious content may be able to imitate legitimate interface elements, present misleading instructions or alter what a user believes SharePoint is displaying. Depending on the vulnerable context and browser protections, injected script could also attempt to access data available to the victim’s active SharePoint session.
Administrators should avoid assuming that a spoofing classification limits the problem to cosmetic page changes. SharePoint often hosts internal announcements, approval workflows, policy documents and links to administrative resources. Content that appears to come from a trusted corporate portal can be used to steer users toward credential prompts, malicious downloads or fraudulent business actions.
The CVSS assessment limits the expected confidentiality and integrity effects to Low and records no availability impact. It also keeps scope unchanged, meaning the scored security impact remains within the same authority controlled by the vulnerable component. These are useful boundaries, but they do not measure the downstream effectiveness of social engineering performed through a trusted intranet.
For SharePoint Server Subscription Edition, KB5002882 raises the security update package to build 16.0.19725.20434. Microsoft says the package resolves information-disclosure, remote-code-execution, spoofing, security-feature-bypass and elevation-of-privilege vulnerabilities in addition to correcting a problem that prevented SharePoint 2010 workflows from starting after the June 2026 update.
Subscription Edition also has a notable post-installation instruction. Microsoft says administrators must run PowerShell commands after PSConfig to disable a defense-in-depth actor-token audience validation feature that is still under development and may cause a regression. Existing actor-token validation remains in place, according to the company, but this requirement deserves explicit inclusion in change plans rather than discovery during a production outage.
SharePoint Server 2019 receives KB5002883, build 16.0.10417.20175. Besides the security fixes, Microsoft says it repairs the SharePoint 2010 workflow regression and an issue in which pages failed to load because certain user controls were treated as unsafe. Farms using the SharePoint Server 2019 Language Pack should also account for KB5002885 in the deployment plan.
SharePoint Server 2016 receives KB5002891, with the corrected version boundary recorded as 16.0.5561.1001. Microsoft separately published KB5002892 for the SharePoint Server 2016 Language Pack at the same build level.
Organizations still using Classic Workflow Manager must also enable Microsoft’s specified farm debug flag and reset IIS to continue using that component. This is not part of the CVE-2026-55135 exploit itself, but it can determine whether a rushed security deployment breaks existing business workflows.
As with other SharePoint security updates, installing the binaries is only one stage of servicing a farm. Administrators should patch every applicable server, run the SharePoint Products Configuration Wizard or PSConfig as required, and confirm that the farm reports the corrected build consistently. Search, distributed cache, workflow integrations, custom web parts and authentication flows warrant targeted checks before the maintenance window closes.
Testing should include both publishing and consuming content with ordinary contributor accounts. Because CVE-2026-55135 crosses the boundary between user-supplied content and what another browser renders, validation focused only on Central Administration or farm health may miss application-level regressions.
Administrators should also review recently created or modified pages, lists and other contributor-controlled content when there is reason to suspect account compromise. Patching prevents future use of the vulnerable behavior, but it does not automatically establish that existing content is benign.
The practical priority is straightforward: inventory on-premises SharePoint farms, compare their package builds with 16.0.5561.1001, 16.0.10417.20175 and 16.0.19725.20434, then deploy the appropriate July 14 update with its workflow and PSConfig requirements included in the runbook. CVE-2026-55135 is not an unauthenticated server takeover, but it turns a trusted collaboration surface into an attacker-controlled presentation layer—and SharePoint’s trust is precisely what makes that useful.
Detailed in Microsoft’s Security Update Guide and July Office update documentation, the vulnerability is classified as a cross-site scripting weakness under CWE-79. Microsoft assigned it a CVSS 3.1 base score of 4.6, placing it in the Medium severity band, but that number should not be mistaken for permission to leave an internet-facing or broadly accessible SharePoint farm unpatched.
The affected versions and minimum corrected builds are:
- SharePoint Server 2016 must be updated to build 16.0.5561.1001 through KB5002891.
- SharePoint Server 2019 must be updated to build 16.0.10417.20175 through KB5002883.
- SharePoint Server Subscription Edition must be updated to build 16.0.19725.20434 through KB5002882.
Authentication Narrows the Door, Not the Impact
CVE-2026-55135 originates in improper neutralization of input during web-page generation. In practical terms, SharePoint fails to sanitize some attacker-controlled content correctly, creating an opening for script execution when that content is rendered for another user.The CVSS vector is
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. An attack can be delivered over a network, requires little attack complexity and only low privileges, but also requires a victim to interact with the malicious SharePoint content. Microsoft expects a successful exploit to have limited confidentiality and integrity impact without directly affecting service availability.That combination explains the 4.6 score. An anonymous attacker cannot simply send a request to an exposed server and immediately take control of the SharePoint farm. The attacker first needs an authorized account capable of submitting the relevant content, and a targeted user must then view or otherwise interact with it.
For enterprise SharePoint, however, authorized is a broad category. Farms routinely permit employees, contractors, project members and external collaborators to create pages, edit lists, upload documents, post comments or contribute to team sites. A compromised low-privilege account may therefore satisfy the prerequisite without giving the attacker administrative access.
The user-interaction requirement also fits naturally into normal SharePoint behavior. A link to a project page, a request to review a document or a notification from an existing team site may not look suspicious, particularly when it originates inside an authenticated environment. The security boundary at issue is not merely whether an outsider can reach SharePoint, but whether content created by one user can be trusted when displayed to another.
Spoofing Can Become a Credibility Attack
Microsoft labels the impact as spoofing rather than remote code execution or elevation of privilege. That distinction matters: CVE-2026-55135 is not described as a direct route to executing arbitrary code on the SharePoint server.Cross-site scripting can still attack the credibility of the service in the victim’s browser. Malicious content may be able to imitate legitimate interface elements, present misleading instructions or alter what a user believes SharePoint is displaying. Depending on the vulnerable context and browser protections, injected script could also attempt to access data available to the victim’s active SharePoint session.
Administrators should avoid assuming that a spoofing classification limits the problem to cosmetic page changes. SharePoint often hosts internal announcements, approval workflows, policy documents and links to administrative resources. Content that appears to come from a trusted corporate portal can be used to steer users toward credential prompts, malicious downloads or fraudulent business actions.
The CVSS assessment limits the expected confidentiality and integrity effects to Low and records no availability impact. It also keeps scope unchanged, meaning the scored security impact remains within the same authority controlled by the vulnerable component. These are useful boundaries, but they do not measure the downstream effectiveness of social engineering performed through a trusted intranet.
July’s Cumulative Updates Carry the Fix
Microsoft delivers the correction through the regular SharePoint cumulative-update channel rather than as a standalone fix for CVE-2026-55135. The July packages also address numerous other SharePoint and Office vulnerabilities, so administrators cannot isolate this CVE from the wider monthly maintenance release.For SharePoint Server Subscription Edition, KB5002882 raises the security update package to build 16.0.19725.20434. Microsoft says the package resolves information-disclosure, remote-code-execution, spoofing, security-feature-bypass and elevation-of-privilege vulnerabilities in addition to correcting a problem that prevented SharePoint 2010 workflows from starting after the June 2026 update.
Subscription Edition also has a notable post-installation instruction. Microsoft says administrators must run PowerShell commands after PSConfig to disable a defense-in-depth actor-token audience validation feature that is still under development and may cause a regression. Existing actor-token validation remains in place, according to the company, but this requirement deserves explicit inclusion in change plans rather than discovery during a production outage.
SharePoint Server 2019 receives KB5002883, build 16.0.10417.20175. Besides the security fixes, Microsoft says it repairs the SharePoint 2010 workflow regression and an issue in which pages failed to load because certain user controls were treated as unsafe. Farms using the SharePoint Server 2019 Language Pack should also account for KB5002885 in the deployment plan.
SharePoint Server 2016 receives KB5002891, with the corrected version boundary recorded as 16.0.5561.1001. Microsoft separately published KB5002892 for the SharePoint Server 2016 Language Pack at the same build level.
Workflow Dependencies Complicate a Routine Patch
Microsoft places an important prerequisite on all three core SharePoint updates. Farms running SharePoint Workflow Manager must have Workflow Manager update KB5002799 installed before administrators apply the July cumulative update.Organizations still using Classic Workflow Manager must also enable Microsoft’s specified farm debug flag and reset IIS to continue using that component. This is not part of the CVE-2026-55135 exploit itself, but it can determine whether a rushed security deployment breaks existing business workflows.
As with other SharePoint security updates, installing the binaries is only one stage of servicing a farm. Administrators should patch every applicable server, run the SharePoint Products Configuration Wizard or PSConfig as required, and confirm that the farm reports the corrected build consistently. Search, distributed cache, workflow integrations, custom web parts and authentication flows warrant targeted checks before the maintenance window closes.
Testing should include both publishing and consuming content with ordinary contributor accounts. Because CVE-2026-55135 crosses the boundary between user-supplied content and what another browser renders, validation focused only on Central Administration or farm health may miss application-level regressions.
Administrators should also review recently created or modified pages, lists and other contributor-controlled content when there is reason to suspect account compromise. Patching prevents future use of the vulnerable behavior, but it does not automatically establish that existing content is benign.
The practical priority is straightforward: inventory on-premises SharePoint farms, compare their package builds with 16.0.5561.1001, 16.0.10417.20175 and 16.0.19725.20434, then deploy the appropriate July 14 update with its workflow and PSConfig requirements included in the runbook. CVE-2026-55135 is not an unauthenticated server takeover, but it turns a trusted collaboration surface into an attacker-controlled presentation layer—and SharePoint’s trust is precisely what makes that useful.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Opis sigurnosnog ažuriranja za SharePoint Server 2016: 14. travnja 2026. (KB5002861.) | Microsoft Support
Opis sigurnosnog ažuriranja za SharePoint Server 2016: 14. travnja 2026. (KB5002861.)support.microsoft.com - Official source: learn.microsoft.com
SharePoint updates - Office release notes | Microsoft Learn
Find and manage updates for SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Server 2016, and SharePoint 2013 in one place. Use the links on this page to get more information about updates, and then download the updates.learn.microsoft.com