Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2026-45659

Microsoft SharePoint Server deserialization remote code execution

A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.

cat cve-2026-45659.json
Vendor
Microsoft
Product
SharePoint Server (on-premises)
CVSS
8.8
Status
kev
Published

CVE-2026-45659 is a remote-code-execution vulnerability in on-premises Microsoft SharePoint Server, rated CVSS 8.8, that stems from the deserialization of untrusted data reaching a vulnerable code path in the server. Microsoft shipped a fix in its May 2026 security update. CISA added the CVE to the Known Exploited Vulnerabilities catalog on July 2, 2026, citing confirmed in-the-wild exploitation and setting a federal-civilian remediation deadline.

Why it matters

On-premises SharePoint tends to sit deep inside enterprise networks and hold exactly the material an intruder wants once they get one — internal documents, project plans, credentials pasted into pages by accident, links to other internal systems. A deserialization RCE on that server hands an attacker code execution as the SharePoint service account, which is generally more than enough to pivot from “document repository” to “beachhead.”

Federal agencies had until CISA’s KEV due date to remediate. Everyone else should treat KEV listing as the signal that mass scanning and exploitation are underway — because at that point they usually are.

What to do

Apply Microsoft’s May 2026 SharePoint security update to every on-premises SharePoint Server farm — Subscription Edition, 2019, and older still-in-support builds — if you haven’t already. Details, affected version ranges, and any additional configuration steps are in the Microsoft Security Response Center advisory. NVD’s canonical record is here.