CVE-2026-20947 | THREATINT

Description

Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

PUBLISHED Reserved 2025-12-04 | Published 2026-01-13 | Updated 2026-02-22 | Assigner microsoft

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

16.0.0 (custom) before 16.0.5535.1001

affected

16.0.0 (custom) before 16.0.10417.20083

affected

16.0.0 (custom) before 16.0.19127.20442

affected

References

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20947 (Microsoft SharePoint Server Remote Code Execution Vulnerability) vendor-advisory patch

cve.org (CVE-2026-20947)

nvd.nist.gov (CVE-2026-20947)

Download JSON