Two deserialization vulnerabilities in Microsoft SharePoint Server, tracked as CVE-2026-47294 (CVSS 8.0) and CVE-2026-45659 (CVSS 8.8), allow authenticated attackers to execute arbitrary code over a network. Both affect SharePoint Server Subscription Edition, 2016, and 2019, and are fixed in build 16.0.19725.20280 for the Subscription Edition.
What Are the Vulnerabilities?
Both vulnerabilities involve deserialization of untrusted data — a well-known and frequently exploited vulnerability class in .NET and SharePoint environments. CVE-2026-45659 (CVSS 8.8, CWE-502) and CVE-2026-47294 (CVSS 8.0, CWE-78) both allow an authorised attacker — someone with legitimate but low-privilege SharePoint access — to send crafted payloads that trigger deserialization of malicious objects, leading to remote code execution on the SharePoint server.
SharePoint is the backbone of enterprise document management, intranet portals, and collaboration platforms. A compromised SharePoint server gives an attacker access to all stored documents, workflows, lists, and integrated data sources — and often provides a pivot point into connected systems like SQL Server, Power Platform, and Teams.
Which Versions Are Affected?
- SharePoint Server Subscription Edition: all builds prior to 16.0.19725.20280
- SharePoint Server 2019
- SharePoint Server 2016 Enterprise
Is It Being Exploited in the Wild?
No active exploitation has been publicly confirmed. However, SharePoint deserialization vulnerabilities are routinely targeted — they provide authenticated users a path to server compromise and have been exploited in numerous historical campaigns.
What Is the Fix?
Apply the SharePoint security update. For Subscription Edition, update to build 16.0.19725.20280 or later. For SharePoint 2016 and 2019, apply the latest cumulative update. Advisories: MSRC CVE-2026-47294 | MSRC CVE-2026-45659
Recommendations
Apply SharePoint updates in your next patching cycle. While these require authentication, SharePoint environments should be patched promptly given the server-compromise impact.
Audit SharePoint permissions. Reduce the number of users with Contributor or higher permissions to minimise the authenticated attack surface.
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 5, 2026.
