CVE-2026-20963

Опубликовано: 13 янв. 2026

Источник: msrc

CVSS3: 8.8

EPSS Низкий

Описание

Microsoft SharePoint Remote Code Execution Vulnerability

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

FAQ

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

How could an attacker exploit the vulnerability?

In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server.

Обновления

Продукт	Статья	Обновление
Microsoft SharePoint Enterprise Server 2016	5002828	Security Update
Microsoft SharePoint Server 2019	5002825	Security Update
Microsoft SharePoint Server Subscription Edition	5002822	Security Update

Показывать по

Возможность эксплуатации

Publicly Disclosed

Exploited

Latest Software Release

Exploitation Less Likely

EPSS

Процентиль: 74%

0.0083

Низкий

8.8 High

CVSS3

Связанные уязвимости

CVE-2026-20963

CVSS3: 8.8

nvd

21 день назад

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

GHSA-5vr8-9cf6-r7px

CVSS3: 8.8

github

21 день назад

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

BDU:2026-00638

CVSS3: 8.8

fstec

22 дня назад

Уязвимость пакетов программ Microsoft SharePoint Server и SharePoint Enterprise Server, связанная с недостатками механизма десериализации, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 74%

0.0083

Низкий

8.8 High

CVSS3