CVE-2026-20963

Name of the Vulnerable Software and Affected Versions SharePoint Enterprise Server 2016 SharePoint Server 2019 SharePoint Server Subscription Edition

Description Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthenticated remote attacker to execute arbitrary code over a network. This issue does not require user interaction or credentials. Real-world exploitation of this flaw has been confirmed, and it has been added to the Known Exploited Vulnerabilities catalog.

Recommendations Apply the security updates released in January for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.