CVE-2026-45659

Name of the Vulnerable Software and Affected Versions SharePoint Server Subscription Edition versions prior to 16.0.19725.20280 SharePoint Server 2019 versions prior to 16.0.10417.20128 SharePoint Enterprise Server 2016 versions prior to 16.0.5552.1002

Description Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker with Site Member permissions to execute arbitrary code remotely over a network. This issue can be exploited in low-complexity attacks without requiring elevated privileges. Real-world incidents have occurred where authenticated attackers used this flaw to execute remote code, escalate privileges, and perform lateral movement across SharePoint environments.

Recommendations Update SharePoint Server Subscription Edition to build number 16.0.19725.20280. Update SharePoint Server 2019 to build number 16.0.10417.20128. Update SharePoint Enterprise Server 2016 to build number 16.0.5552.1002.