The flaw is tracked as CVE-2026-45659 (CVSS score of 8.8) and was patched in late May, via an out-of-band security update. According to Microsoft, the vulnerability can be triggered by an authenticated attacker who has a minimum of Site Member permissions, without other elevated privileges. The tech giant also warned that the security defect is easy to exploit, “because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.”
| Vendor | Product | Versions |
|---|---|---|
| microsoft | sharepoint_server | 16.0.0, 16.0.0, 16.0.0, SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition, 16.0.5552.1002, 16.0.10417.20128, 16.0.19725.20280 |
Updated affected versions with specific fixed version numbers and added CISA KEV tag.
Updated description with technical details, added CVE-2026-45659 to tags, and noted the patch was released in late May.
Updated description with more technical detail, added affected versions, and confirmed severity and CVSS score.
Updated exploit availability to true, added CISA KEV tag, and confirmed CVSS score as 8.8.
Updated description with technical details, added affected versions, changed severity to HIGH, updated CVSS estimate to 7.5, and marked exploit as available and actively exploited.
Updated severity to CRITICAL, changed description to include new details, and noted that no exploit is available.
Initial creation