CVE-2026-20963: Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
infovulnerability
security
Summary
Microsoft SharePoint has a deserialization of untrusted data vulnerability (a flaw where the software unsafely processes data from untrusted sources, allowing attackers to inject malicious code). An unauthorized attacker can exploit this over a network to execute code on affected systems. This vulnerability is currently being actively exploited by real attackers.
Solution / Mitigation
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-03-21.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 1.6%
Patch Available
Yes
Disclosure Date
March 17, 2026
Classification
Attack SophisticationModerate
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-20963
First tracked: March 18, 2026 at 04:59 PM
Classified by LLM (prompt v3) · confidence: 95%