# CVE-2026-33827

> An insecure deserialization vulnerability in the SharePoint Server workflow engine allows an authenticated remote attacker to achieve code execution on the SharePoint server. The flaw resides in the workflow activity processing pipeline where untrusted serialized objects are deserialized without adequate type validation. Threat actors have been observed chaining this vulnerability with CVE-2026-32201 (SharePoint spoofing zero-day) to escalate from unauthenticated session hijack to full server-side code execution against enterprise SharePoint farms.

- **CVSS:** 8.8 (HIGH)
- **EPSS:** 0.1%
- **CWE:** CWE-502

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-33827
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp