Skip to main content
Mallory
Back to vulnerabilities
High

RCE via path traversal in Microsoft SharePoint Upload.aspx

IdentifiersCVE-2026-45454CWE-22· Improper Limitation of a Pathname…

CVE-2026-45454 is a path traversal flaw in Microsoft SharePoint Server's file upload page, /_layouts/15/Upload.aspx. The vulnerable code path uses UploadPage.CurrentFolder to resolve the upload destination from the user-controlled RootFolder query string parameter and fails to verify that the resolved folder belongs to the document library identified by the List parameter. As a result, an authenticated user with upload rights to one document library can cause SharePoint to write files into a different library on the same site. The upload operation ultimately reaches SPFolder.Files.Add() after RootFolder is read from the HTTP request via SPRequestParameterUtility.GetValue and resolved through PrivateWeb.GetFolder(). In environments where the target path is the Master Page Gallery (/_catalogs/masterpage) and SharePoint PageParserPaths is configured to allow server-side script execution there, the arbitrary file upload can be escalated to remote code execution by uploading an ASPX webshell. Microsoft fixed the issue by adding a ParentListId ownership check and null-list validation in microsoft.office.policy.pages.dll.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated low-privilege SharePoint user with Contribute or equivalent upload permissions on any document library to bypass library boundary restrictions and upload files into other restricted libraries on the same site. In the worst case, if server-side script execution is permitted in the Master Page Gallery, the attacker can upload an ASPX webshell and achieve remote code execution over the network under the w3wp.exe application pool identity. This can enable arbitrary OS command execution and potentially further compromise of the SharePoint server and hosted content.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting upload permissions to trusted users, closely monitoring requests to /_layouts/15/Upload.aspx for mismatched List and RootFolder values, and reviewing SharePoint ULS logs for the traversal-related trace tags introduced by the patch. Review whether PageParserPaths permits server-side script execution under /_catalogs/masterpage/* and disable that capability where not strictly required, as this configuration is what turns the arbitrary cross-library upload into reliable remote code execution. Monitoring for uploads into the Master Page Gallery and suspicious ASPX files can also help detect exploitation attempts.

Remediation

Patch, then assume compromise.

Apply Microsoft's June 2026 security updates for affected SharePoint products. The provided content identifies KB5002874 for SharePoint Server 2019 and KB5002880 for SharePoint Server 2016 / SharePoint Enterprise Server 2016. The fix adds validation that the resolved folder's ParentListId matches CurrentList.ID and rejects requests where no valid target list is set. Verify that microsoft.office.policy.pages.dll has been updated to a patched build, including 16.0.10417.20153 for SharePoint Server 2019 and 16.0.5556.1000 for SharePoint Server 2016, and that vulnerable builds such as 16.0.10337.12109 and 16.0.5535.1000 are no longer present.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationOffice Sharepointapplication
Microsoft CorporationSharepointapplication
Microsoft CorporationSharepoint Enterprise Serverapplication
Microsoft CorporationSharepoint Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-45454
NVD
nvd.nist.gov/vuln/detail/CVE-2026-45454
MITRE CWE · CWE-22
Improper Limitation of a Pathname to a…
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45454