High

Remote Code Execution in Microsoft Office SharePoint via Deserialization of Untrusted Data

IdentifiersCVE-2026-26114CWE-502· Deserialization of Untrusted Data

CVE-2026-26114 is an important remote code execution vulnerability in Microsoft Office SharePoint Server caused by deserialization of untrusted data. Microsoft describes the issue as allowing an authorized attacker to execute code over a network. Available reporting indicates the flaw affects SharePoint Server and is exploitable by an authenticated attacker with at least Site Member permissions. The published CVSS v3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network reachability, low attack complexity, low privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote code execution on the vulnerable SharePoint Server in the context available to the vulnerable service/component. Based on the published CVSS vector and Microsoft’s description, compromise can result in high impact to confidentiality, integrity, and availability, including the ability to run attacker-controlled code, access or modify SharePoint-hosted data, and disrupt service operation.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting network access to SharePoint, limiting access to trusted users and administrative boundaries, and minimizing the number of accounts with Site Member or higher permissions. Monitor SharePoint for suspicious authenticated activity and potential exploitation attempts, especially requests or workflows involving serialized data handling. These measures are compensating controls only and do not remove the underlying vulnerability.

Remediation

Patch, then assume compromise.

Apply Microsoft’s March 2026 security update for Microsoft Office SharePoint / SharePoint Server that addresses CVE-2026-26114. Microsoft’s MSRC update guide entry for this CVE should be used to identify the exact affected versions and corresponding patches. Prioritize patching internet-exposed and multi-tenant SharePoint deployments, and validate that all SharePoint servers in the farm are updated consistently.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationSharepoint Enterprise Serverapplication

Microsoft CorporationSharepoint Serverapplication

Microsoft CorporationSharepoint Server 2016application

Microsoft CorporationSharepoint Server 2019application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

thecyberexpress com vulnerabilitiesNews

Mar 11, 2026

Microsoft Patch Tuesday March 2026: Two Zero-Days and Critical RCE Bugs Fixed - The Cyber Express

A remote code execution vulnerability in Microsoft SharePoint Server caused by deserialization of untrusted data; described as exploitable by authenticated attackers with Site Member permissions.

cyberthroneNews

Mar 11, 2026

Microsoft Patch Tuesday - March 2026 - TheCyberThrone

A Microsoft SharePoint Server remote code execution vulnerability caused by deserialization of untrusted data, exploitable by authenticated users with Site Member permissions or higher.

cvefeed high severityNews

Mar 10, 2026

CVE-2026-26114 - Microsoft SharePoint Server Remote Code Execution Vulnerability

A remote code execution vulnerability in Microsoft Office SharePoint caused by deserialization of untrusted data (CWE-502), allowing an authorized attacker to execute code over the network.

talos intelligence blogNews

Mar 10, 2026

Microsoft Patch Tuesday for March 2026 - Snort rules and prominent vulnerabilities

An important Microsoft SharePoint Server remote code execution vulnerability caused by deserialization of untrusted data. An authenticated attacker with Site Member permissions can execute code remotely over a network.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-26114

NVD

nvd.nist.gov/vuln/detail/CVE-2026-26114

MITRE CWE · CWE-502

Deserialization of Untrusted Data

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26114