Microsoft kicked off the June 2026 Patch Tuesday with the release of CVE-2026-45465, an Important-rated spoofing vulnerability in Microsoft SharePoint Server. The cross-site scripting (XSS) flaw could allow an attacker to impersonate a legitimate user or manipulate web content, potentially leading to data theft or privilege escalation. Administrators running on-premises SharePoint farms have until July 11 to deploy the patch before active exploits become widely available.

Published on June 9, 2026, the security advisory details a vulnerability that affects all supported on-premises editions of SharePoint Server. The culprit is a classic cross-site scripting flaw, a perennial favorite among attackers targeting web applications. By tricking a user into clicking a specially crafted link, an attacker can execute arbitrary script code in the victim’s browser within the context of a trusted SharePoint site. This opens the door to session hijacking, credential harvesting, and the spread of malicious content across a corporate intranet.

CVE-2026-45465 at a Glance

The Common Vulnerabilities and Exposures (CVE) entry for this bug paints a familiar but dangerous picture. Microsoft’s Security Response Center (MSRC) assessed it with the “Important” severity label, a step below “Critical” yet still a serious threat for most organizations. With an attack vector that is network-based, low attack complexity, and only low privileges required, the main mitigation is that user interaction is mandatory—someone must click a malicious link. However, in a social engineering-heavy world, that barrier is often easily bypassed.

While Microsoft has not publicly assigned a CVSS score, similar SharePoint XSS spoofing vulnerabilities have historically scored between 6.5 and 8.0, placing them firmly in the high-risk category for environments where SharePoint is integral to daily operations. The spoofing classification indicates that the vulnerability could be used to impersonate a user or to deceive the system about the origin of content, which can be leveraged for phishing, data exfiltration, or bypassing access controls.

Affected SharePoint Server Editions

CVE-2026-45465 impacts all actively supported on-premises versions of Microsoft SharePoint Server:

  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Server 2016

Notably, SharePoint Foundation 2013 is not listed, as its extended support ended in April 2023. Organizations still running this older version should consider it at risk if similar code paths exist, but no official patch will be provided. Cloud-based SharePoint in Microsoft 365 is not affected by this CVE, as Microsoft automatically applies security fixes to its service infrastructure.

Administrators can verify the exact build numbers of the patched versions in the MSRC update guide. As always, it’s crucial to apply the updates through Windows Update, Microsoft Update, or by downloading the specific packages from the Microsoft Update Catalog. After installation, the SharePoint Products Configuration Wizard must be run on each server in the farm to complete the patching process.

The Cross-Site Scripting Menace

Cross-site scripting remains one of the most prevalent web application vulnerabilities, and SharePoint—with its deep integration of custom scripts and web parts—has been a recurring target. In reflected XSS scenarios like CVE-2026-45465, an attacker crafts a URL that includes malicious script code. When a SharePoint user clicks that link, the script executes in their browser under the site’s security context. This can be used to:

  • Steal authentication cookies, allowing the attacker to hijack the user’s session.
  • Deface pages or inject fake login forms to capture credentials.
  • Perform actions on behalf of the user, such as uploading or deleting documents, modifying lists, or even escalating privileges if the victim is an administrator.

Because SharePoint is often the backbone of document management and collaboration, a successful attack can leak sensitive business data, disrupt workflows, or serve as an entry point for lateral movement across the network. The fact that this vulnerability requires user interaction means it’s more likely to be used in spear-phishing campaigns against specific staff members, making high-value targets like executives or IT admins especially vulnerable.

Patch Deployment and Mitigation Strategies

Microsoft has released security updates for each affected version. The fixes address the underlying XSS vulnerability by improving how SharePoint sanitizes input and encodes output. Simply installing the update is not enough; administrators must also run the SharePoint Configuration Wizard after applying the binaries. Failure to do so leaves the farm in a partially patched and potentially unstable state.

For organizations that cannot patch immediately—perhaps due to change management windows or compatibility testing—the following mitigations can reduce risk:

  • Restrict network access: Use firewalls or VPNs to limit SharePoint access to trusted internal networks.
  • Enable URL rewriting or web application firewalls (WAFs): These can filter out known XSS patterns, though they are not foolproof.
  • User education: Remind staff not to click links in unsolicited emails or instant messages.
  • Disable unnecessary features: If certain web parts or script-heavy functionality are not in use, consider deactivating them temporarily.

However, these are stopgap measures. The definitive solution is patching. Microsoft’s guidance for this CVE includes no effective workarounds, underscoring the need for swift action.

Community Pulse and Real-World Impact

On platforms like the Windows Forum and Reddit’s r/sysadmin, early chatter reflects the usual mix of urgency and frustration. IT professionals are sharing deployment experiences, stressing the importance of testing in non-production environments first. Some report that the patch requires a server reboot and a full configuration wizard run, which can take upwards of an hour for large farms.

Historical context amplifies the concern. SharePoint has seen several high-profile XSS flaws—CVE-2020-0646 in February 2020 and CVE-2019-0604 just months earlier, both of which were actively exploited in the wild. Given the low complexity of CVE-2026-45465, security experts anticipate proof-of-concept code to surface within days, followed by automated scanning by threat actors.

One recurring theme in community discussions is the challenge of patching legacy on-prem servers. Many organizations have hybrid environments or heavily customized SharePoint installations that complicate updates. The consensus, however, remains clear: the risk of a successful spoofing attack far outweighs the operational pain of patching.

The Bigger Picture: SharePoint Security in an Evolving Threat Landscape

This CVE is a stark reminder that on-premises software still demands rigorous patch management. While the cloud shift has offloaded some security burdens, on-prem SharePoint remains deeply entrenched in government, healthcare, and financial sectors where data sovereignty matters. Microsoft’s own Digital Defense Report has repeatedly highlighted the exploitation of unpatched on-prem servers as a top attack vector.

CVE-2026-45465 also illustrates the enduring relevance of injection bugs. Despite modern frameworks and better developer training, complex platforms like SharePoint expose large attack surfaces where legacy code or third-party web parts may reintroduce vulnerabilities. For administrators, this means adopting a defense-in-depth approach that combines timely patching with network segmentation, least-privilege access policies, and continuous monitoring of SharePoint logs.

Looking ahead, the July 2026 Patch Tuesday will roll around quickly. Delaying this update means rolling the dice with a known vulnerability. As one veteran SharePoint admin put it, “Patch early, patch often—and always have a rollback plan.” That advice has never been more pertinent.