1. Overview
A reflected cross-site scripting vulnerability exists in three SharePoint Server workflow management pages. The DocURL query string parameter is rendered directly into HTML anchor tag href attributes without any encoding, allowing an attacker to inject arbitrary HTML attributes including JavaScript event handlers. An unauthenticated attacker can craft a malicious URL and deliver it to an authenticated SharePoint user; when the victim visits the link and hovers over the page’s tab navigation, the injected JavaScript executes in the SharePoint origin context, enabling session hijacking and unauthorized actions. Microsoft addressed this vulnerability in the June 2026 security update (KB5002880 for SharePoint Server 2016, KB5002874 for SharePoint Server 2019).
2. Vulnerability Type
| Field | Value |
|---|---|
| Primary CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| Related CWE | CWE-116: Improper Encoding or Escaping of Output |
3. Severity
CVSS 3.1 (from Microsoft Advisory)
| Field | Value |
|---|---|
| Score | 5.4 (Medium) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
Our Assessment (CVSS 4.0)
| Metric Group | Metric | Value |
|---|---|---|
| Base — Exploitability | Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low | |
| Attack Requirements (AT) | None | |
| Privileges Required (PR) | None | |
| User Interaction (UI) | Passive | |
| Base — Vulnerable System | Confidentiality (VC) | Low |
| Integrity (VI) | Low | |
| Availability (VA) | None | |
| Base — Subsequent System | Confidentiality (SC) | None |
| Integrity (SI) | None | |
| Availability (SA) | None | |
| Threat | Exploit Maturity (E) | Proof-of-Concept |
| Field | Value |
|---|---|
| CVSS 4.0 Score | 5.1 (Medium) |
| CVSS 4.0 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
4. Affected Products
Affected Products
| Product | CPE 2.3 | Patch |
|---|---|---|
| Microsoft SharePoint Server 2019 | cpe:2.3:a:microsoft:sharepoint_server:2019:kb5002874:*:*:*:*:*:* | KB5002874 |
| Microsoft SharePoint Enterprise Server 2016 | cpe:2.3:a:microsoft:sharepoint_server:2016:kb5002880:*:*:*:*:*:* | KB5002880 |
| Microsoft SharePoint Server Subscription Edition | cpe:2.3:a:microsoft:sharepoint_server:subscription_edition:kb5002873:*:*:*:*:*:* | KB5002873 |
Tested Environment (Vulnerable — SharePoint Server 2019)
| Field | Value |
|---|---|
| Product | Windows Server 2025 Standard 24H2 + SharePoint Server 2019 |
| OS Build | 26100.32860 |
| Architecture | x64 |
| SharePoint Farm Build | 16.0.10417.20128 |
| Vulnerable File | AvailableWorkflow.aspx (also MyTasks.aspx, RunningWorkflows.aspx) |
| File Path | %CommonProgramFiles%\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\ |
| Installed KBs | KB5002870 (May 2026 SharePoint) |
Tested Environment (Vulnerable — SharePoint Server 2016)
| Field | Value |
|---|---|
| Product | Windows Server 2025 Standard 24H2 + SharePoint Server 2016 |
| OS Build | 26100.32860 |
| Architecture | x64 |
| SharePoint Build | 16.0.5552.1002 |
| Installed KBs | KB5089717 (May 2026), KB5087539 (May 2026) |
Tested Environment (Patched)
| Field | Value |
|---|---|
| Patch KB | KB5002874 (June 2026, SharePoint Server 2019), KB5002880 (June 2026, SharePoint Server 2016) |
| Fix | m_strDocUrl replaced with m_safeStrDocUrl (UrlPathEncode + HtmlEncode) in ASPX markup |
5. Root Cause Analysis
5a. Detailed Description
Three SharePoint Server workflow pages render the DocURL query string parameter into HTML <a href> attributes using SPHttpUtility.NoEncode(), which explicitly bypasses all output encoding. Each page has 3 tab-navigation links (START, TASKS, STATUS) that include the DocURL value, totaling 9 injection points across the 3 pages. The vulnerability was confirmed on both SharePoint Server 2019 and SharePoint Server 2016.
Vulnerable pages:
| Page | URL Path | Code-Behind Class |
|---|---|---|
| AvailableWorkflow.aspx | /_layouts/15/AvailableWorkflow.aspx | AvailableWorkflowPage |
| MyTasks.aspx | /_layouts/15/MyTasks.aspx | MyTasksPage |
| RunningWorkflows.aspx | /_layouts/15/RunningWorkflows.aspx | RunningWorkflowsPage |
Data flow (vulnerable):
The DocURL parameter flows from the HTTP request to the rendered HTML without any encoding or validation:
- Source:
Request.QueryString["DocURL"]— raw user input from the URL query string - Storage: Stored in
m_strDocUrl(aprotected stringfield on the base class) - Sink: ASPX markup renders it via
SPHttpUtility.NoEncode("...?DocURL=" + m_strDocUrl)
The code-behind (OnLoad method of each page) reads the parameter:
// AvailableWorkflowPage.OnLoad (identical in all 3 pages)
m_strDocUrl = ((Page)(object)this).Request.QueryString["DocURL"];
SPFile val = (string.IsNullOrEmpty(m_strDocUrl)
? null
: ((UnsecuredLayoutsPageBase)this).Web.GetFile(m_strDocUrl));
No encoding, no validation, no sanitization is performed on m_strDocUrl. The raw value is then referenced in the ASPX markup:
<a href=<%SPHttpUtility.WriteAddQuote(
SPHttpUtility.NoEncode("AvailableWorkflow.aspx?DocURL=" + m_strDocUrl),
this.Page);%> class="moe-tapselected">
An attacker can terminate the href attribute by injecting a " character, then inject arbitrary HTML attributes:
DocURL=/Shared Documents/x" onmouseover="alert(document.domain)" x="
Renders as:
<a href="AvailableWorkflow.aspx?DocURL=/Shared Documents/x" onmouseover="alert(document.domain)" x="" class="moe-tapselected">
Payload constraint: The DocURL value must start with a valid document library path (e.g., /Shared Documents/) because the code-behind calls Web.GetFile(m_strDocUrl) during OnLoad. If GetFile() cannot parse the path (e.g., paths containing < or >), it throws a COMException that aborts page rendering. The " character in the filename portion is tolerated by GetFile().
Authentication: The pages call SPUtility.EnsureAuthentication() in OnLoad. The victim must be authenticated. The attacker needs no SharePoint credentials — they only craft the URL (CVSS PR:N, UI:P).
5b. Vulnerable Markup and Call Stack
AvailableWorkflow.aspx (vulnerable version, identical on SP2019 and SP2016):
<a href=<%SPHttpUtility.WriteAddQuote(SPHttpUtility.NoEncode(
"AvailableWorkflow.aspx?DocURL=" + m_strDocUrl),this.Page);%>
class="moe-tapselected">
<!-- tab: START -->
</a>
...
<a href=<%SPHttpUtility.WriteAddQuote(SPHttpUtility.NoEncode(
"MyTasks.aspx?DocURL=" + m_strDocUrl),this.Page);%>
class="moe-tap">
<!-- tab: TASKS -->
</a>
...
<a href=<%SPHttpUtility.WriteAddQuote(SPHttpUtility.NoEncode(
"RunningWorkflows.aspx?DocURL=" + m_strDocUrl),this.Page);%>
class="moe-tap">
<!-- tab: STATUS -->
</a>
Call stack (server-side rendering):
AvailableWorkflowPage.OnLoad()
-> Request.QueryString["DocURL"] // source: user input
-> m_strDocUrl = raw value // no encoding
-> Web.GetFile(m_strDocUrl) // server-side file lookup (tolerates " in filename)
-> ASPX Render phase
-> SPHttpUtility.NoEncode("...?DocURL=" + m_strDocUrl) // explicitly bypasses encoding
-> SPHttpUtility.WriteAddQuote(value, Page) // wraps in double quotes, writes to response
-> Response: <a href="...DocURL=/Shared Documents/x" onmouseover="alert(1)" x="" class="moe-tap">
5c. Fix (Patched Version)
The June 2026 patch introduces a new encoded field m_safeStrDocUrl and uses it in all ASPX markup references.
Code-behind fix (added to OnLoad in all 3 page classes):
m_strDocUrl = ((Page)(object)this).Request.QueryString["DocURL"];
m_safeStrDocUrl = SPHttpUtility.HtmlEncode(SPHttpUtility.UrlPathEncode(m_strDocUrl, true));
The encoding chain applies:
SPHttpUtility.UrlPathEncode(value, true)— encodes URL-unsafe characters ("→%22,'→%27,<→%3C,>→%3E)SPHttpUtility.HtmlEncode(value)— defense-in-depth encoding for HTML context ("→",&→&)
| Vulnerable | Patched |
|---|---|
"...DocURL=" + m_strDocUrl | "...DocURL=" + m_safeStrDocUrl |
The raw m_strDocUrl is retained for the server-side GetFile() call, which requires the un-encoded URL.
5d. Impact
The confirmed impact is reflected cross-site scripting in the SharePoint origin context. When a victim clicks the crafted URL and hovers over any of the three tab-navigation links on the page, the injected JavaScript executes with full access to the victim’s authenticated SharePoint session. This allows exfiltration of session cookies (FedAuth, .ASPXAUTH), CSRF request-digest tokens, and execution of arbitrary SharePoint REST API calls as the victim.
If the victim is a site collection administrator, the attacker could escalate to full control of the SharePoint site: uploading web shells, modifying permissions, accessing restricted document libraries, or creating new site administrators. The attack requires no special server configuration — the Shared Documents library exists by default in every SharePoint team site.
6. Proof-of-Concept
6a. PoC Code
Download poc_cve_2026_45453.py (enterprise email verification required)
| File | Description |
|---|---|
poc_cve_2026_45453.py | Generates malicious URLs and optionally verifies XSS reflection via HTTP request |
6b. Reproduce Instructions
Prerequisites:
- SharePoint Server 2019 without KB5002874, or SharePoint Server 2016 without KB5002880
- A SharePoint web application with at least one document library (default:
Shared Documents) - Valid credentials for an authenticated SharePoint user (the victim)
- A web browser with JavaScript enabled
Steps:
Generate the malicious URL:
python poc_cve_2026_45453.py http://sharepoint.example.comOpen the URL in a browser while authenticated to SharePoint.
The page loads showing three tab links: START, TASKS, STATUS.
Hover the mouse cursor over any of the three tab links.
On vulnerable servers, a JavaScript
alert()dialog appears displaying the SharePoint domain name, confirming script execution in the SharePoint origin.On patched servers, the
"is encoded as%22, preventing attribute breakout. No JavaScript execution occurs.
6c. Test Results
| Page | Vulnerable (SP2019 & SP2016) | Patched |
|---|---|---|
| AvailableWorkflow.aspx | onmouseover injected, XSS fires on hover | " encoded as %22, no injection |
| MyTasks.aspx | onmouseover injected, XSS fires on hover | " encoded as %22, no injection |
| RunningWorkflows.aspx | onmouseover injected, XSS fires on hover | " encoded as %22, no injection |
Injection points per page: 3 <a href> tags (START, TASKS, STATUS tab links). Total injection points confirmed: 9 across 3 pages.
6d. Patched System Verification
The same PoC URL was tested against patched SharePoint instances (KB5002874 for SP2019, KB5002880 for SP2016). The patched systems render the DocURL with UrlPathEncode + HtmlEncode, encoding the " character as %22. The injected onmouseover attribute becomes part of the URL string within the href value, not a separate HTML attribute. No JavaScript execution occurs.
7. Detection
Note: The detection rules below are provided as a starting point. Validate and tune them in your own environment before deploying to production.
7a. Network-Based Detection
Signature-Based Detection
The attack is delivered via a crafted URL to SharePoint’s /_layouts/15/ endpoint. The distinctive characteristics are:
- HTTP GET request to
AvailableWorkflow.aspx,MyTasks.aspx, orRunningWorkflows.aspx DocURLquery parameter containing URL-encoded double-quote (%22) followed by HTML event handler attributes- Legitimate DocURL values are server-relative document paths and never contain
%22
Suricata Rules
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"CVE-2026-45453 SharePoint Reflected XSS - DocURL attribute injection"; \
flow:to_server,established; \
http.uri; content:"/_layouts/15/"; \
content:"DocURL="; \
content:"%22"; distance:0; \
pcre:"/DocURL=[^&]*%22[^&]*(onmouseover|onclick|onfocus|onerror|onload|onmouseenter)/Ui"; \
reference:cve,2026-45453; \
classtype:web-application-attack; \
sid:2026045453; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"CVE-2026-45453 SharePoint Reflected XSS - DocURL tag breakout"; \
flow:to_server,established; \
http.uri; content:"/_layouts/15/"; \
content:"DocURL="; \
content:"%3C"; distance:0; \
reference:cve,2026-45453; \
classtype:web-application-attack; \
sid:2026045454; rev:1;)
Byte Offset Reference
| Component | Pattern |
|---|---|
| URL path prefix | /_layouts/15/AvailableWorkflow.aspx or MyTasks.aspx or RunningWorkflows.aspx |
| Vulnerable parameter | DocURL= |
| Attribute injection marker | %22 (URL-encoded ") followed by HTML event handler name |
| Tag breakout marker | %3C (URL-encoded <) or %3E (URL-encoded >) |
7b. Host-Based Detection
Patch Verification
| Product | Vulnerable KB | Patched KB |
|---|---|---|
| SharePoint Server 2019 | KB5002870 (May 2026) or earlier | KB5002874 (June 2026) |
| SharePoint Enterprise Server 2016 | KB5087539 (May 2026) or earlier | KB5002880 (June 2026) |
PowerShell — Check Installed KB
Get-HotFix -Id KB5002874,KB5002880 -ErrorAction SilentlyContinue |
Format-Table HotFixID, InstalledOn -AutoSize
PowerShell — Check ASPX File for Vulnerable Pattern
$layoutsPath = "$env:CommonProgramFiles\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS"
$file = Get-Content "$layoutsPath\AvailableWorkflow.aspx" -Raw
if ($file -match 'NoEncode.*DocURL.*m_strDocUrl') {
Write-Host "[!] VULNERABLE — AvailableWorkflow.aspx uses NoEncode with m_strDocUrl" -ForegroundColor Red
} elseif ($file -match 'm_safeStrDocUrl') {
Write-Host "[*] PATCHED — AvailableWorkflow.aspx uses m_safeStrDocUrl" -ForegroundColor Green
} else {
Write-Host "[?] Could not determine patch status" -ForegroundColor Yellow
}
IIS Log Monitoring
Search IIS logs for exploitation attempts — legitimate DocURL values never contain %22:
Get-Content "C:\inetpub\logs\LogFiles\W3SVC*\*.log" |
Select-String "DocURL=.*%22"
8. References
| Source | URL |
|---|---|
| Microsoft Advisory | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45453 |
| MITRE CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45453 |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2026-45453 |
| KB5002874 (SP2019 June 2026) | https://support.microsoft.com/help/5002874 |
| KB5002880 (SP2016 June 2026) | https://support.microsoft.com/help/5002880 |