Microsoft has patched a cross-site scripting vulnerability in SharePoint Server that could allow an authenticated attacker to inject script and spoof content presented to other users. The fix arrived in the July 14, 2026 cumulative updates, covering SharePoint Server 2016, 2019, and Subscription Edition. Although rated medium severity with a CVSS score of 4.6, the flaw (CVE-2026-55135) poses a serious threat to enterprise trust because it can turn a user’s own SharePoint experience into an attacker’s deception.

The Vulnerability and the Fix

CVE-2026-55135 stems from improper neutralization of input during web-page generation. An attacker who has already gained authenticated access to a SharePoint site—even with low privileges—can craft content that includes malicious script. When another user views or interacts with that content, the script executes in the victim’s browser. Microsoft classifies the impact as spoofing: no direct code execution on the server, but the ability to falsify what a trusted SharePoint page displays.

The July 14 security bundles are cumulative, meaning they contain all previous fixes along with the resolution for this CVE. There is no standalone patch for this issue alone. Administrators must deploy the full monthly update. The affected versions and the minimum builds that include the fix are:

SharePoint Version KB Number Corrected Build
SharePoint Server 2016 KB5002891 16.0.5561.1001
SharePoint Server 2019 KB5002883 16.0.10417.20175
SharePoint Subscription Edition KB5002882 16.0.19725.20434

These updates also resolve other vulnerabilities, including information disclosure, remote code execution, and security feature bypass. For Subscription Edition, KB5002882 additionally fixes a regression that prevented SharePoint 2010 workflows from starting after the June 2026 update.

What It Means for Your Organization

The authenticated requirement may lead some to underestimate the risk. An attacker doesn’t need admin rights—any account that can create or edit a page, list, or document can exploit the flaw. In most enterprise SharePoint farms, hundreds of users have such permissions by default. A compromised contractor account or a disgruntled employee could become the attack vector. The user interaction step is equally easy to trigger: a link to a “quarterly report” or “urgent policy change” on a team site is unlikely to arouse suspicion. Once the victim’s browser runs the injected script, the attacker can mimic any SharePoint interface element—login prompts, approval forms, or fake notifications—to harvest credentials, redirect to malicious downloads, or manipulate business decisions.

Spoofing isn’t just cosmetic. SharePoint is often the backbone of internal communications, hosting everything from HR portals to financial dashboards. A well-timed spoofing campaign can erode the integrity of that platform far more effectively than a brute-force attack from the outside. The CVSS score reflects the immediate technical impact, but the downstream consequences of successful social engineering inside a trusted environment can be severe.

How We Got Here

Microsoft releases SharePoint security updates on a monthly cadence, typically aligning with Patch Tuesday. The July 14, 2026 batch follows this pattern. Vulnerabilities like CVE-2026-55135 are discovered through internal research or external reports and get addressed in these cumulative packages. The flaw was not publicly disclosed before the update, and Microsoft’s advisory states there is no evidence of active exploitation at the time of release.

The updates are distributed through Windows Update, Microsoft Update, and the Microsoft Update Catalog for on-premises servers. It’s worth noting that the July package for Subscription Edition contains a notable post-install step: after running PSConfig, admins must execute PowerShell commands to disable a defense-in-depth actor-token audience validation feature that is still under development. Leaving it enabled could cause a regression. Existing actor-token validation remains in place, but Microsoft’s instruction to explicitly disable a security feature for stability is unusual and should be part of every deployment plan.

All three core SharePoint updates list a prerequisite. Organizations that run SharePoint Workflow Manager must first install Workflow Manager update KB5002799 before applying the July cumulative update. Those still using Classic Workflow Manager also need to enable a farm debug flag and reset IIS. Skipping these steps can break existing workflows, turning a security patching exercise into a business disruption.

What to Do Now

If you manage an on-premises SharePoint farm, here is a pragmatic checklist to address this CVE and the broader July update:

  1. Inventory your farms. Identify every SharePoint 2016, 2019, or Subscription Edition server in the organization. Check the current build number via Central Administration or PowerShell.
  2. Compare builds. Determine which servers are below the corrected builds: 16.0.5561.1001 (2016), 16.0.10417.20175 (2019), or 16.0.19725.20434 (Subscription Edition).
  3. Plan the deployment. Download the appropriate KB package from the Microsoft Update Catalog. If you use Workflow Manager, install KB5002799 first. Schedule maintenance windows for all servers.
  4. Apply the update. Run the installer on each server. After the binaries are deployed, run the SharePoint Products Configuration Wizard (or PSConfig) to upgrade the farm databases.
  5. Handle Subscription Edition’s extra step. For Subscription Edition, execute the PowerShell commands detailed in the KB article to disable the actor-token audience validation feature temporarily.
  6. Check workflow dependencies. If Classic Workflow Manager is in use, set the debug flag and perform an IIS reset as directed by Microsoft.
  7. Verify the installation. Confirm that all servers report the corrected build. Test critical SharePoint functions: site creation, list editing, search, and any custom web parts. Pay special attention to content publishing and consumption with ordinary user accounts to catch any regressions introduced by the patch.
  8. Review existing content. Because the vulnerability could have been exploited before patching, consider auditing recently modified pages, lists, and documents—especially if there are signs of compromised accounts. The update prevents future exploitation, but it doesn’t remove malicious content already in place.

For most organizations, the priority should be governed by exposure. Farms accessible from the internet or used by large, diverse user populations should patch as soon as possible. Even internal-only farms benefit from a timely update because the defender’s advantage shrinks once the vulnerability details are public.

What to Watch Next

The July updates also fix a regression affecting SharePoint 2010 workflows, an issue where pages failed to load because certain user controls were treated as unsafe, and several other security problems. As attackers digest the CVE-2026-55135 details, proof-of-concept code may appear. Organizations that lag on patching could face targeted phishing campaigns that use this XSS vector to gain a foothold. Keep an eye on Microsoft’s Security Response Center for any reports of active exploitation, and plan to test and deploy future SharePoint updates without unnecessary delay.