# CVE-2026-20963

> Remote code execution vulnerability in Microsoft SharePoint Server caused by unsafe deserialization of untrusted data (CWE-502). The flaw resides in handling of serialized objects within ASP.NET ViewState and related serialized data streams processed by SharePoint application pages under the /_layouts/ directory. An attacker with low-level authentication can craft a malicious serialized payload using gadget chains to execute arbitrary code in the context of the SharePoint application pool process (w3wp.exe). Patched in January 2026 Patch Tuesday. CISA KEV added 2026-03-18 with remediation dead

- **CVSS:** 8.8 (HIGH)
- **EPSS:** 6.5%
- **CISA KEV:** yes
- **CWE:** CWE-502

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-20963
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp