CVE-2026-32201 is an improper input validation vulnerability in on-premises Microsoft SharePoint Server that allows an unauthorized attacker to perform spoofing over a network. The flaw affects supported self-hosted SharePoint Server releases, including SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Available reporting indicates the weakness is in SharePoint request processing and stems from insufficient validation of attacker-controlled input, enabling a remote adversary to spoof trusted SharePoint resources or user context. Microsoft confirmed the vulnerability was exploited in the wild as a zero-day prior to patch availability.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
Repository contains a single Python proof-of-concept exploit script and a README. The main file, CVE-2026-32201-exploit.py, is a standalone CLI tool using requests, argparse, sys, and urllib.parse.urljoin. Its workflow is simple: first fingerprint the target by issuing a GET request to /_layouts/15/start.aspx and checking for a 200 response containing the string 'SharePoint'; if detected, it sends a crafted POST request to a configurable endpoint, defaulting to /_layouts/15/notify.aspx. The POST body includes recipient, subject, message, and sender_override, where sender_override is treated as the allegedly vulnerable parameter enabling spoofed sender identity. The script prints status code, response length, a response snippet, and basic success indicators such as 'success' or 'sent' in the response body. The exploit is network/web-based, unauthenticated in design, and intended to spoof SharePoint notifications rather than achieve code execution. The README expands on intended use, affected SharePoint versions, and possible operator customization, including arbitrary message content and endpoint fuzzing. Overall, this is a small operational PoC for testing a claimed SharePoint spoofing/input-validation issue, not a framework module and not merely a detector.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
124 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A SharePoint Server vulnerability under active exploitation that enables unauthorized access to vulnerable instances and is part of broader RCE and post-exploitation activity described by CISA.
An actively exploited Microsoft SharePoint Server vulnerability affecting supported on-premises/self-hosted versions; attackers are using it as part of chains enabling authentication bypass, remote code execution, and post-exploitation activity.
A recently patched SharePoint vulnerability that attackers are exploiting, prompting CISA to urge additional hardening measures.
A Microsoft SharePoint Server vulnerability affecting supported on-premises versions that is being actively exploited to gain unauthorized access; the activity involves remote code execution and post-exploitation persistence techniques.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.