CVE-2026-32201 is an actively exploited spoofing vulnerability in on-premises Microsoft SharePoint Server caused by improper input validation. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Microsoft describes the issue as allowing an unauthorized attacker to perform spoofing over a network. Available reporting indicates the weakness is reachable remotely, requires no authentication, has low attack complexity, and does not require user interaction. The vulnerable condition appears to arise from SharePoint request processing that fails to properly validate attacker-controlled input, enabling an adversary to impersonate trusted SharePoint content or resources and influence how information is presented within the SharePoint environment. Microsoft confirmed the vulnerability was exploited in the wild as a zero-day prior to patch availability.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a single Python proof-of-concept exploit script and a README. The main file, CVE-2026-32201-exploit.py, is a standalone CLI tool using requests, argparse, sys, and urllib.parse.urljoin. Its workflow is simple: first fingerprint the target by issuing a GET request to /_layouts/15/start.aspx and checking for a 200 response containing the string 'SharePoint'; if detected, it sends a crafted POST request to a configurable endpoint, defaulting to /_layouts/15/notify.aspx. The POST body includes recipient, subject, message, and sender_override, where sender_override is treated as the allegedly vulnerable parameter enabling spoofed sender identity. The script prints status code, response length, a response snippet, and basic success indicators such as 'success' or 'sent' in the response body. The exploit is network/web-based, unauthenticated in design, and intended to spoof SharePoint notifications rather than achieve code execution. The README expands on intended use, affected SharePoint versions, and possible operator customization, including arbitrary message content and endpoint fuzzing. Overall, this is a small operational PoC for testing a claimed SharePoint spoofing/input-validation issue, not a framework module and not merely a detector.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
115 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Microsoft SharePoint Server vulnerability affecting supported on-premises versions that is being actively exploited to gain unauthorized access; the activity involves remote code execution and post-exploitation persistence techniques.
Another Microsoft SharePoint Server vulnerability mentioned as background because it was previously added to CISA's KEV catalog.
A Microsoft SharePoint authentication bypass vulnerability referenced in the vendor security history.
A Microsoft SharePoint Server vulnerability referenced as having been added by CISA to the Known Exploited Vulnerabilities catalog, indicating in-the-wild exploitation.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.