Microsoft Releases Patch for CVE‑2026‑45659 Remote Code Execution in SharePoint

Microsoft has rolled out updates to fix a remote code execution vulnerability impacting SharePoint that could be exploited by bad actors in attacks without requiring any specialized conditions to be met. The vulnerability, tracked as CVE‑2026‑45659, carries a CVSS score of 8.8 and has been assigned an important severity. Deserialization of untrusted data in Microsoft Office SharePoint allows attackers to execute arbitrary code on the target system. The flaw is triggered when a maliciously crafted XML payload is processed by the SharePoint server, enabling the attacker to run code with the privileges of the SharePoint service account. The patch is available for all supported SharePoint versions, including SharePoint Online and SharePoint Server 2019 and 2022. Microsoft recommends applying the update immediately to mitigate the risk of exploitation. The update also includes additional hardening for XML parsing to prevent similar vulnerabilities in the future. The advisory notes that no user interaction is required for exploitation, making the vulnerability highly dangerous.

The CVE was discovered by a security researcher who reported it to Microsoft, and the company released a security update on 10 May 2026. The update addresses the deserialization issue by sanitizing input data and enforcing strict schema validation. The advisory also warns that attackers could use the vulnerability to install malware, steal data, or pivot to other systems within the network. The patch is part of Microsoft’s regular security maintenance cycle and is included in the May 2026 security bulletin. Users should verify that their SharePoint instances are running the latest cumulative update and that the security baseline is configured correctly.