VULNERABILITY OVERVIEW
Deserialization of untrusted data in Microsoft Office SharePoint allows an authenticated attacker with a minimum of Site Member permissions (low privilege) to execute arbitrary code remotely on a SharePoint Server instance without any user interaction. No PoC is currently publicly available, but SharePoint RCE flaws have historically been weaponized rapidly by ransomware operators, nation-state actors, and initial access brokers. The previous month's SharePoint spoofing flaw (CVE-2026-32201) was actively exploited in the wild.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
LOW
◈
User Interaction
NONE
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Enterprise Server 2016 (prior to May 2026 CU builds)CITATIONS
- → https://thehackernews.com/2026/05/microsoft-patches-sharepoint-rce-flaw.html
- → https://www.helpnetsecurity.com/2026/05/26/sharepoint-vulnerability-cve-2026-45659/
- → https://msrc.microsoft.com/update-guide/
- → https://vulert.com/blog/cve-2026-45659-microsoft-sharepoint-rce-flaw/