1. Home
  2. Vulnerabilities
  3. CVE-2026-20963
Known Exploited Vulnerability
9.8
CRITICAL CVSS 3.1
CVE-2026-20963
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability - [Actively Exploited]
Overview
Description

Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.

Details
INFO

Published Date :

Jan. 13, 2026, 6:16 p.m.

Last Modified :

April 1, 2026, 4:01 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known Ransomware Campaign Use:

Unknown

Notes :

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963 ; https://nvd.nist.gov/vuln/detail/CVE-2026-20963

Impact
Affected Products

The following products are affected by CVE-2026-20963 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Microsoft sharepoint_server
2 Microsoft sharepoint_server_2016
3 Microsoft sharepoint_server_2019
: Total Affected Vendor : 1 | Products : 3
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH f38d906d-7342-40ea-92c1-6c4a2c6478c8
CVSS 3.1 HIGH [email protected]
CVSS 3.1 CRITICAL [email protected]
Solution
Apply vendor security updates to address SharePoint deserialization vulnerability.
  • Install Microsoft security updates.
  • Update Microsoft SharePoint Server.
Public PoC/Exploit Available at Github

CVE-2026-20963 has a 3 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-20963.

URL Resource
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20963 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-20963 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-20963 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
neoparadigm/Mati

Self-evolving threat intelligence proxy for OpenClaw agents. Intercepts LLM requests, injects security skills, logs predictions, and scores them against objective ground truth (CISA KEV, EPSS, exploit publications). When wrong, it learns — no GPU, no LLM judge, reality is the reward signal.

Python

Updated: 6 days, 19 hours ago
0 stars 0 fork 0 watcher
Born at : March 28, 2026, 7:05 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
jenniferreire26/CVE-2026-20963

None

Updated: 1 week, 1 day ago
0 stars 0 fork 0 watcher
Born at : March 27, 2026, 9:03 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
DevGreick/devgreick

None

Python

Updated: 2 weeks ago
1 stars 0 fork 0 watcher
Born at : Oct. 29, 2024, 8:10 p.m. This repo has been linked 11 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-20963 vulnerability anywhere in the article.

  • security.nl
'Tientallen Nederlandse SharePoint-servers bevatten actief misbruikt lek'

Tientallen Microsoft SharePoint-servers met een Nederlands ip-adres bevatten een kwetsbaarheid waarvan actief misbruikt wordt gemaakt, zo stelt The Shadowserver Foundation op basis van eigen onderzoek ... Read more

Published Date: Mar 23, 2026 (1 week, 6 days ago)
  • Help Net Security
Week in review: ScreenConnect servers open to attack, exploited Microsoft SharePoint flaw

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: What smart factories keep getting wrong about cybersecurity In this Help Net Security interview, Packs ... Read more

Published Date: Mar 22, 2026 (2 weeks ago)
  • Help Net Security
Cisco FMC flaw was exploited by Interlock weeks before patch (CVE-2026-20131)

A critical vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC) that Cisco disclosed and patched in early March 2026 has been exploited as a zero-day by the Interlock ransom ... Read more

Published Date: Mar 20, 2026 (2 weeks, 1 day ago)
  • Help Net Security
Unpatched ScreenConnect servers open to attack (CVE-2026-3564)

ConnectWise has patched a critical vulnerability (CVE-2026-3564) that could enable attackers to hijack ScreenConnect sessions by abusing ASP.NET machine keys to forge trusted authentication. About CVE ... Read more

Published Date: Mar 20, 2026 (2 weeks, 2 days ago)
  • The Register
Unknown attackers exploit yet another critical SharePoint bug

Unknown baddies are abusing yet another critical Microsoft SharePoint bug to compromise victims' SharePoint servers, the US government warned. CVE-2026-20963 is a critical deserialization flaw in Shar ... Read more

Published Date: Mar 19, 2026 (2 weeks, 2 days ago)
  • Daily CyberSecurity
Critical Jenkins Flaws Expose CI/CD Servers to Remote Code Execution

The Jenkins project has released a critical security advisory addressing multiple vulnerabilities that could lead to full system compromise. The advisory highlights two high-severity flaws in the Jenk ... Read more

Published Date: Mar 19, 2026 (2 weeks, 2 days ago)
  • Daily CyberSecurity
High-Severity RCE Flaw in Atlassian Bamboo Threatens CI/CD Environments

Atlassian has sounded the alarm for users of its Bamboo Data Center, uncovering a high-severity Remote Code Execution (RCE) vulnerability that could allow attackers to seize control of development env ... Read more

Published Date: Mar 19, 2026 (2 weeks, 2 days ago)
  • Daily CyberSecurity
CISA Issues Urgent Warning Following Global Cyberattack on Stryker

In a move to protect the nation’s critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert following a significant cyberattack on Stryker Corporation, a ... Read more

Published Date: Mar 19, 2026 (2 weeks, 2 days ago)
  • Help Net Security
CISA warns of active exploitation of Microsoft SharePoint vulnerability (CVE-2026-20963)

CVE-2026-20963, a remote code execution (RCE) SharePoint vulnerability Microsoft fixed in January 2026, is being exploited by attackers. The confirmation comes from the US Cybersecurity and Infrastruc ... Read more

Published Date: Mar 19, 2026 (2 weeks, 2 days ago)
  • security.nl
RCE-kwetsbaarheid in Microsoft SharePoint actief misbruikt bij aanvallen

Aanvallers maken actief misbruik van een kwetsbaarheid in Microsoft SharePoint waardoor remote code execution (RCE) mogelijk is, zo waarschuwt het Amerikaanse cyberagentschap CISA. Dat heeft Amerikaan ... Read more

Published Date: Mar 19, 2026 (2 weeks, 3 days ago)
  • CybersecurityNews
CISA Warns of Microsoft SharePoint Vulnerability Exploited in Attacks

CISA Warns Microsoft SharePoint Vulnerability Exploit A critical security flaw in Microsoft SharePoint has been identified as actively exploited, and on March 18, 2026, the vulnerability was officiall ... Read more

Published Date: Mar 19, 2026 (2 weeks, 3 days ago)
  • The Hacker News
CISA Warns of Zimbra, SharePoint Flaw Exploits; Cisco Zero-Day Hit in Ransomware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged government agencies to apply patches for two security flaws impacting Synacor Zimbra Collaboration Suite (ZCS) and Microsoft ... Read more

Published Date: Mar 19, 2026 (2 weeks, 3 days ago)
  • TheCyberThrone
CISA adds Three Vulnerabilities to KEV Catalog

OverviewCISA has expanded its Known Exploited Vulnerabilities (KEV) catalog with three new entries this week, spanning enterprise collaboration, file transfer infrastructure, and email collaboration p ... Read more

Published Date: Mar 19, 2026 (2 weeks, 3 days ago)
  • Daily CyberSecurity
Exploited in the Wild: CISA Warns of Active Attacks on Microsoft SharePoint and Zimbra

The Cybersecurity and Infrastructure Security Agency (CISA) has officially expanded its Known Exploited Vulnerabilities (KEV) Catalog, adding two high-risk flaws that are currently being weaponized by ... Read more

Published Date: Mar 19, 2026 (2 weeks, 3 days ago)
  • Daily CyberSecurity
Exploited in the Wild: Interlock Ransomware Weaponizes Critical 10.0 CVSS Cisco Zero-Day

Interlock ransomware Amazon threat intelligence has uncovered an active Interlock ransomware campaign that exploited a critical vulnerability in Cisco Secure Firewall Management Center (FMC) as a zero ... Read more

Published Date: Mar 19, 2026 (2 weeks, 3 days ago)
  • The Cyber Express
Microsoft Patch Tuesday January 2026: Actively Exploited Zero Day, 8 High-Risk Flaws

Microsoft’s Patch Tuesday January 2026 update includes fixes for one actively-exploited zero day vulnerability and eight additional high-risk flaws. In all, the Patch Tuesday January 2026 update inclu ... Read more

Published Date: Jan 13, 2026 (2 months, 3 weeks ago)
  • Zero Day Initiative
The January 2026 Security Update Review

I may be in Tokyo preparing for Pwn2Own Automotive, but that doesn’t stop patch Tuesday from coming. Put aside you broken New Year’s resolutions for just a moment as we review the latest security patc ... Read more

Published Date: Jan 13, 2026 (2 months, 3 weeks ago)
  • BleepingComputer
Microsoft January 2026 Patch Tuesday fixes 3 zero-days, 114 flaws

Today is Microsoft's January 2026 Patch Tuesday with security updates for 114 flaws, including one actively exploited and two publicly disclosed zero-day vulnerabilities.This Patch Tuesday also addres ... Read more

Published Date: Jan 13, 2026 (2 months, 3 weeks ago)
  • CybersecurityNews
Microsoft Patch Tuesday January 2026 – 114 Vulnerabilities Fixed Including 3 Zero-days

CVE-2026-20822Windows Graphics Component Elevation of Privilege VulnerabilityElevation of PrivilegeCVE-2026-20876Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerabilit ... Read more

Published Date: Jan 13, 2026 (2 months, 3 weeks ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-20963 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Apr. 01, 2026

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    Apr. 01, 2026

    Action Type Old Value New Value
    Changed Description Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Removed CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Modified Analysis by [email protected]

    Mar. 19, 2026

    Action Type Old Value New Value
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20963 Types: US Government Resource
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Mar. 18, 2026

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20963
  • Initial Analysis by [email protected]

    Jan. 14, 2026

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:* *cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:* *cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:* versions up to (excluding) 16.0.19127.20442
    Added Reference Type Microsoft Corporation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963 Types: Vendor Advisory
  • New CVE Received by [email protected]

    Jan. 13, 2026

    Action Type Old Value New Value
    Added Description Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
    Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-502
    Added Reference https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20963
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact