// #sharepoint
5 articles
HTTP.sys CVE-2026-47291: Quantifying Wormable Risk Across the Windows Server Estate
Three days after the June Patch Tuesday, CVE-2026-47291 in HTTP.sys remains unpatched on a significant proportion of enterprise Windows Server infrastructure. This article maps the attack surface — which services expose HTTP.sys, how the worm propagation would function, and what network controls reduce the blast radius while patching is in progress.
Pwn2Own Demonstrates Second Distinct SharePoint RCE Chain — Five Days After Patch Tuesday Fixed CVE-2026-40365
Researchers at Pwn2Own Berlin 2026 demonstrated a multi-bug SharePoint Server remote code execution chain that is entirely distinct from CVE-2026-40365, the SharePoint RCE patched in the 12 May Patch Tuesday. The new chain, targeting SharePoint's server-side processing pipeline, has no patch and will not receive one for up to 90 days.
SharePoint Server RCE and Office Preview Pane Vulnerabilities Fixed in May Patch Tuesday — Enterprise Document Attack Surface Elevated
May's Patch Tuesday patches an authenticated RCE in SharePoint Server (CVE-2026-40365) and multiple Office vulnerabilities exploitable via the Windows Explorer and Outlook preview pane without opening files. Together they represent a significant enterprise document attack surface. Assess SharePoint exposure and validate Office update deployment this week.
Microsoft April 2026 Patch Tuesday: 167 Flaws Patched Including Two Zero-Days
Microsoft's April 2026 Patch Tuesday addresses 167 vulnerabilities, including an actively exploited SharePoint spoofing zero-day (CVE-2026-32201) and a publicly disclosed Defender elevation-of-privilege flaw. Eight Critical-rated vulnerabilities include a CVSS 9.8 IKE RCE and a Critical Active Directory RCE assessed as exploitation more likely.
CISA Flags SharePoint Zero-Day CVE-2026-32201 as Actively Exploited — Patch Arrives Tomorrow
CISA has added CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability under active exploitation, to the KEV catalogue with a 28 April remediation deadline. The timing is unusual: Microsoft has not yet released a patch as of this alert, with the fix expected in tomorrow's Patch Tuesday release. Organisations must decide whether to implement mitigations today or accept overnight exposure until the patch lands.