Overview
- Microsoft issued security updates on Tuesday, May 26, 2026, that fix CVE-2026-45659 across SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016 with published build numbers.
- The bug is a deserialization flaw that lets an authenticated attacker send crafted data to trigger remote code execution on the server without requiring administrator rights.
- Microsoft rates the issue high with a CVSS score of 8.8 and says the attack complexity is low because a user with Site Member permissions can trigger it.
- There are no public proof-of-concept exploits and Microsoft assesses active exploitation as less likely, but organizations are urged to patch now because SharePoint often hosts sensitive data and is frequently targeted.
- Administrators should apply the updates, audit internet‑facing SharePoint accounts and access controls, and monitor for signs of account compromise since a breached low‑privilege account could allow full server takeover.