{"schema_version":"1.0","report_url":"https://aretiq.ai/research/vul260531-cve-2026-45454-microsoft-sharepoint-server-upload-page-folder-path-traversal/","date":"2026-06-10","last_modified":"2026-06-10","cve":"CVE-2026-45454","title":"CVE-2026-45454 — Microsoft SharePoint Server Upload Page Folder Path Traversal to Remote Code Execution","vulnerability_name":"Microsoft SharePoint Server Upload Page Folder Path Traversal","vendor":"Microsoft","product":"SharePoint Server","component":"Upload Page (UploadPage.aspx)","binary":"microsoft.office.policy.pages.dll","impact":"RCE","cwe":["CWE-22"],"severity":{"cvss_v4_score":8.2,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:P"},"attack_vector":"Network","patch_kb":["KB5002874","KB5002880"],"poc_verified":true,"poc_download":"https://aretiq.ai/downloads/","tags":["cve-2026-45454","sharepoint","path-traversal","file-upload","authorization-bypass","rce","webshell"],"summary":"1. Overview A path traversal vulnerability exists in the SharePoint Server file upload page (Upload.aspx). The UploadPage.CurrentFolder property resolves the upload destination from the user-supplied RootFolder query string parameter without validating that the resolved folder belongs to the document library specified by the List parameter. An authenticated attacker with upload permissions to one document library can craft a request that uploads files to a different, restricted document library on the same site — including the Master Page Gallery (_catalogs/masterpage).\n"}