CVE-2026-45453 — Microsoft SharePoint Server Workflow Pages DocURL Parameter Reflected Cross-Site Scripting
1. Overview A reflected cross-site scripting vulnerability exists in three SharePoint Server workflow management pages. The DocURL query string parameter is rendered directly into HTML anchor tag href attributes without any encoding, allowing an attacker to inject arbitrary HTML attributes including JavaScript event handlers. An unauthenticated attacker can craft a malicious URL and deliver it to an authenticated SharePoint user; when the victim visits the link and hovers over the page’s tab navigation, the injected JavaScript executes in the SharePoint origin context, enabling session hijacking and unauthorized actions. Microsoft addressed this vulnerability in the June 2026 security update (KB5002880 for SharePoint Server 2016, KB5002874 for SharePoint Server 2019). ...