Overview
Deserialization of untrusted data in Microsoft Office SharePoint allows an authenticated attacker to execute code remotely over a network. Any authenticated attacker with a minimum of Site Member permissions (PR:L) can trigger it — no administrator privileges required.
Severity & Vector
CVSS 3.1 score: 8.8 (HIGH) — vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CWE-502: Deserialization of Untrusted Data.
Attack Complexity
Attack complexity is Low because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component. No user interaction is required.
Affected Versions
SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.
Patches
Security updates released May 21, 2026 — SharePoint Enterprise Server 2016 build 16.0.5552.1002 (KB5002868), SharePoint Server 2019 build 16.0.10417.20128 (KB5002870).
Exploit Status
No public PoC exists and Microsoft assesses exploitation as less likely — however, organizations with on-premises SharePoint servers should treat this as a material update given SharePoint’s history as a high-value target for nation-state actors, ransomware operators, and initial access brokers.
Researcher Credit
Discovered and reported by a researcher identified as MEOW.
