CVE-2026-20963

Analyzed
Published: 13 Jan 2026, 17:56
Last modified:19 Mar 2026, 03:55

Vulnerability Summary

Overall Risk (default)
medium
37/100
CVSS Score
8.8 HIGH
v3.1 (cve.org)
EPSS Score
9.87% LOW
10% probability +8.24%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

13 Jan 2026, 17:56
Published
Vulnerability first disclosed
18 Mar 2026, 00:00
Added to CISA KEV
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
19 Mar 2026, 03:55
Last Modified
Vulnerability information updated
21 Mar 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

CVSS Metrics

  • v3.1HIGHScore: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
  • v3.1HIGHScore: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 9.87% Percentile: 93%

Techniques & Countermeasures

  • CWE-502Deserialization of Untrusted Data

    The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

  • microsoftmicrosoft sharepoint enterprise server 2016

    ≥ 16.0.0, < 16.0.5535.1001

  • microsoftmicrosoft sharepoint server 2019

    ≥ 16.0.0, < 16.0.10417.20083

  • microsoftmicrosoft sharepoint server subscription edition

    ≥ 16.0.0, < 16.0.19127.20442

  • UnknownSharePoint Server

    < 16.0.19127.20442 | 2016 | 2019

References (2)