Microsoft SharePoint: 21 Vulnerabilities Disclosed in June Patch Tuesday
Microsoft SharePoint users face a significant security update with 21 vulnerabilities disclosed on June 9, 2026, including high-severity flaws.
Key findings
- 21 vulnerabilities in Microsoft Office SharePoint disclosed on June 9, 2026.
- Includes High-severity flaws like RCE (CVE-2026-47298) and privilege escalation (CVE-2026-45484).
- A significant number of Medium-severity Cross-Site Scripting (XSS) vulnerabilities were patched.
- These vulnerabilities were part of Microsoft's June 2026 Patch Tuesday, addressing 198 flaws overall.
- Patching is critical due to potential for spoofing, code execution, and privilege escalation.
Microsoft's June 2026 Patch Tuesday brought a substantial security update for its Office SharePoint product, addressing a batch of 21 vulnerabilities disclosed on June 9, 2026. This significant cluster of flaws includes several high-severity issues, alongside numerous medium-severity cross-site scripting (XSS) vulnerabilities, underscoring the need for prompt patching.
The disclosed vulnerabilities span various attack vectors and impact categories. A notable portion of the batch consists of improper neutralization of input during web page generation, commonly known as cross-site scripting (XSS). These vulnerabilities, such as CVE-2026-48562, CVE-2026-48560, CVE-2026-47641, CVE-2026-47640, CVE-2026-47639, CVE-2026-47638, CVE-2026-47637, CVE-2026-47636, CVE-2026-45479, CVE-2026-45468, CVE-2026-45467, CVE-2026-45465, CVE-2026-45464, CVE-2026-45462, and CVE-2026-45453, allow authorized attackers to perform spoofing over a network. Several of these XSS vulnerabilities carry a CVSSv3 score of 5.4, while others are rated at 4.6.
Beyond XSS, the batch includes more critical vulnerabilities. CVE-2026-47298, rated with a CVSSv3 score of 8.0, involves improper authorization, potentially allowing an attacker to execute code over a network. Another critical flaw, CVE-2026-45484, with a CVSSv3 score of 8.8, is due to deserialization of untrusted data, enabling an attacker to elevate privileges. Additionally, CVE-2026-47634 and CVE-2026-45481, both rated as High with a CVSSv3 score of 7.3, are also cross-site scripting vulnerabilities. A path traversal vulnerability, CVE-2026-45454, rated Medium with a CVSSv3 score of 6.5, could also lead to code execution.
Microsoft's June 2026 Patch Tuesday addressed a total of 198 vulnerabilities across its product ecosystem, with three of them being publicly disclosed zero-day vulnerabilities. While the specific SharePoint vulnerabilities disclosed in this batch were not explicitly called out as zero-days in the provided coverage, their inclusion in the same Patch Tuesday update highlights their importance. Administrators are urged to prioritize patching these vulnerabilities to mitigate potential risks, as customer action is required for every CVE in this cycle, according to cybersecurity news outlets.
The sheer volume of vulnerabilities, particularly the concentration of XSS flaws, suggests a need for thorough review and application of security updates for all Microsoft Office SharePoint deployments. The range of severity, from Medium to High, means that organizations must assess their risk exposure and apply patches accordingly. The potential for code execution and privilege escalation from some of these flaws makes them particularly concerning.
Users of Microsoft Office SharePoint should consult Microsoft's official security advisories for detailed information on affected versions and the specific patches released. Promptly applying these updates is crucial to protect against potential exploitation and maintain the integrity and confidentiality of data stored and managed within SharePoint environments. The coordinated disclosure of these vulnerabilities on a single day emphasizes the importance of staying current with Microsoft's security bulletins.