- CVE: CVE-2026-33112
- CVSS: 8.8 (High · CVSSv3)
- Product: Microsoft SharePoint Enterprise Server 2016
- Affected: 16.0.0
- Impact: Microsoft SharePoint Server Remote Code Execution Vulnerability
- Status: No confirmed exploitation yet
- Patched in: 16.0.5552.1002, 16.0.10417.20128, 16.0.19725.20280
- EPSS: 1.9% (30-day)
- Action: Update to 16.0.5552.1002, 16.0.10417.20128, 16.0.19725.20280 now
TL;DR
Researchers have published full technical details and proof-of-concept code for a SharePoint remote code execution flaw. Tracked as CVE-2026-33112 (CVSS 8.8), it lets a low-privilege user run code on the server. Microsoft patched it in the May Patch Tuesday release.
Why It Matters
SharePoint sits at the center of many corporate intranets. As a result, a server-side flaw exposes documents, credentials, and internal apps. This SharePoint remote code execution bug needs only a site member account, not admin rights. That low bar makes it valuable to attackers who already hold a foothold. Phishing or a stolen password can supply that starting account. From there, one request can pivot to full server control.
How the Attack Works
The flaw bypasses the fix for an earlier bug, CVE-2025-53770. According to the Viettel Cyber Security analysis, the researcher abuses XSD schema imports. The XmlValidator checks only the inline schema string. However, it never sees the schema pulled from an external network location.
Therefore, an attacker hosts a malicious schema on their own server. That external schema smuggles a forbidden type past the validator. A PerformancePoint web service then deserializes the payload and triggers code execution. The chain reaches an unsafe control that Microsoft had tried to lock down. In short, the patch closed one door while another stayed open. The write-up credits khoadha, who reported the issue to Microsoft.
Affected Versions
The bug affects on-premises SharePoint Server builds prior to the May 2026 security update. Microsoft’s advisory lists the exact supported versions and patch levels. SharePoint Online is managed by Microsoft, so cloud tenants need no action.
Patch and Mitigation Steps
Apply the May 2026 update without delay. Review Microsoft’s official CVE-2026-33112 advisory for build numbers. Since a public PoC exists, patching should take priority over routine change windows. Admins should also block server outbound connections to untrusted hosts. That step disrupts the external schema fetch this SharePoint remote code execution flaw relies on. No in-the-wild exploitation has been confirmed so far.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.