CVE-2026-47294 – Microsoft SharePoint Server 2016

Microsoft SharePoint Server contains a remote code execution vulnerability involving improper neutralization of special elements used in OS commands. An authenticated attacker with at least Site Owner privileges could exploit the vulnerability over a network to inject and execute code remotely on the SharePoint Server. Microsoft reports no public disclosure or active exploitation, and exploitation is assessed as less likely; however, the high impact to confidentiality, integrity, and availability makes this an important risk for SharePoint environments.

CVSS Score: 8.0

SEVERITY: Important

THREAT:
This vulnerability could allow an authenticated attacker to execute code against Microsoft SharePoint Server. Because SharePoint often stores sensitive business documents, workflows, and collaboration data, successful exploitation could provide a strong foothold inside the enterprise environment.

EXPLOITS:
Microsoft reports that this vulnerability is not publicly disclosed and not currently exploited. No confirmed public proof-of-concept exploit code is available. Microsoft rates exploitation as Exploitation Less Likely.

TECHNICAL SUMMARY:
The vulnerability is associated with CWE-78: Improper Neutralization of Special Elements used in an OS Command, also known as OS command injection. An authenticated attacker with at least Site Owner permissions could write arbitrary code and inject commands that may execute remotely on the SharePoint Server. The attack is network-based, has low attack complexity, and can result in high confidentiality, integrity, and availability impact. The provided data also states that user interaction is required and that a client connecting to a malicious server could allow code execution on the client.

EXPLOITABILITY:
Affected software includes Microsoft SharePoint Server 2016, SharePoint Enterprise Server 2016, and applicable Microsoft Office SharePoint Server environments. Exploitation requires network access, low privileges, and user interaction. An attacker must be authenticated as at least a Site Owner to inject and execute code remotely on the SharePoint Server.

BUSINESS IMPACT:
A successful attack could allow code execution within a SharePoint environment, giving attackers access to sensitive documents, internal collaboration data, and business workflows. This could lead to data theft, content manipulation, malware deployment, service disruption, or further compromise of connected Microsoft services.

WORKAROUND:
Apply the official Microsoft security update. Customers running SharePoint Server 2016 or SharePoint Enterprise Server 2016 should install the applicable security update using the same KB guidance for both versions. Organizations should also review Site Owner permissions and reduce unnecessary privileged access.