CVE-2026-20963

Name of the Vulnerable Software and Affected Versions SharePoint Enterprise Server 2016 SharePoint Server 2019 SharePoint Server Subscription Edition

Description Microsoft Office SharePoint contains a flaw involving the deserialization of untrusted data. Deserialization is the process of converting data from a format like XML or JSON back into an object that a program can use. This issue allows an unauthenticated remote attacker to execute arbitrary code over a network without requiring user interaction by sending a crafted request to the server. Real-world exploitation of this flaw has been confirmed.

Recommendations Apply the security updates released in January for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.