SharePoint Server Subscription Edition
Comprehensive overview of current Cumulative Updates, known issues, community insights, and patching best practices for your SPSE farm.
Actively exploited: CVE-2026-32201 (spoofing, CVSS 6.5). Install April 2026 CU immediately — KB5002853 (SPSE), KB5002854 (2019), KB5002861 (2016). CISA deadline: April 28, 2026.MSRC details →
Cumulative Update Tracker 2026
All monthly CU releases for SharePoint Server Subscription Edition at a glance. Source: Stefan Goßner Blog (Microsoft).
April 2026
Hinweis SecurityCurrentMarch 2026
Hinweis SecurityFebruary 2026
Stabil SecurityJanuary 2026
Hinweis SecuritySharePoint CVE Overview
All known CVEs for SharePoint Server Subscription Edition from the January and March 2026 Cumulative Updates. Source: Microsoft Security Response Center (MSRC). No SharePoint-specific CVE was published in the February 2026 CU.
Unauthenticated Remote Code Execution — the most severe SharePoint CVE in 2026. No login needed, no user click required. CVSS was raised from 8.8 to 9.8. Immediate patch via January 2026 CU required.
January 2026 CU— 5 CVE(s) for SharePoint
SharePoint Remote Code Execution
Critical RCE vulnerability requiring no authentication and no user interaction. An unauthenticated attacker can execute arbitrary code on the SharePoint server over the network. CVSS subsequently raised to 9.8 (originally 8.8).
SharePoint Server Remote Code Execution
RCE by authenticated user without user interaction. A logged-in user with minimal privileges can execute arbitrary code on the server. Network attack, low complexity.
SharePoint Server Remote Code Execution (File)
RCE via crafted file (AV:L). Attacker must trick a user into opening a manipulated file — classic phishing vector. No login required.
SharePoint Information Disclosure
Information disclosure by authenticated user. Limited impact on confidentiality and integrity. Network access required, no user interaction.
SharePoint Server Spoofing
Spoofing vulnerability: attacker with user rights can deceive other users when they interact with a manipulated link/content. Low severity.
March 2026 CU— 3 CVE(s) for SharePoint
SharePoint Server Remote Code Execution
RCE by authenticated user without user interaction. Full control over confidentiality, integrity, and availability. Network attack, low complexity.
SharePoint Server Remote Code Execution
Second RCE vulnerability in March 2026 CU with identical profile: network, low complexity, authenticated attacker, no user interaction, full C/I/A impact.
SharePoint Server Spoofing
High-value spoofing attack without authentication. User must interact with a crafted link. High impact on confidentiality and integrity (C:H, I:H).
February 2026 CU: Microsoft did not publish any SharePoint-specific CVEs in the February 2026 Cumulative Update. However, the CU contains functional improvements and SPSE fixes that are still required for the patch chain (Jan → Feb → March).
General Security Recommendations
Always stay on the latest CU
All critical CVEs are patched exclusively via CU. No separate security hotfix available.
Restrict network access
SharePoint farms should not be directly accessible from the internet. Use WAF and IP allowlisting.
Enforce least-privilege principle
Several CVEs require only minimal user rights. Regularly review user permissions.
Monitor MSRC bulletin
CVE-2026-20963 was subsequently raised from 8.8 to 9.8. Check regularly for updates.
Trending Issues
Trending issues documented by Stefan Goßner and Microsoft Engineering. Green = resolved, amber = active, red = critical.
Community Insights
Practical reports and notes from comments on Stefan Goßner's blog — from SharePoint administrators worldwide.
Installation stuck at ~20%: IIS cannot be stopped. Workaround: use Stefan Goßner's PowerShell install script and manually run IISRESET /STOP if needed.
In multi-server farms: Get-SPProduct -Local fails with SSL error if the Configuration Wizard has not yet been run on all servers.
OOS-integrated farms: PSConfig may fail with 'EcsClient assembly not found' error. Not widespread — open a Microsoft support case if encountered.
Distributed Cache Service: In rare cases, a cache server may not restart automatically after the patch script. Check services manually.
Cross-farm environments (Content Farm + Search Service Farm): After Feb 2026 CU, search errors 'Unknown error occurred' were reported. Check service restarts.
SAFE_NOTIFICATION_DATA error also affects farms with Project Server services registered in config DB (even without active PWA installation). In this case: contact Microsoft support.
March 2026 CU is not a feature update — no 26H1. According to Stefan Goßner, the schedule for feature updates is not fixed (usually March or September, but can be any month).
Upgrade from October 2025 CU directly to March 2026 CU may fail with MSP_REMINDER_TEMP_STORAGE error (Project Server related). Support case recommended.
Mandatory patch: CVE-2026-32201 is actively exploited (CISA KEV). Internet-exposed farms must be patched immediately. The April package also fixes the SAFE_NOTIFICATION_DATA error on direct Jan → March upgrades.
Before installing: if the farm is still on September 2025 CU, remove NT Authority\system from WSS_WPG and IIS_IUSRS on all servers. KB5002853 supersedes the previous KB5002843 security update.
Patching Best Practices
Patch sequentially
Never skip CUs. Each update includes all previous fixes, but database schema upgrades must be sequential.
Stefan Goßner's PowerShell Script
The install script on GitHub correctly stops IIS, significantly reduces installation time, and avoids common errors.
PSConfig on all servers
After each CU, the SharePoint Products Configuration Wizard must be run on every server in the farm. Preferred: PSCONFIGUI.EXE.
Test environment first
Always validate updates in a test environment first. Especially with large build number jumps (like March 2026 CU).
Plan maintenance windows
Allow sufficient time for multi-server farms. The Goßner script significantly reduces pure installation time.
Stefan Goßner
Senior Escalation Engineer, Microsoft
Stefan Goßner is the most reliable and detailed source for SharePoint Server Subscription Edition updates at Microsoft. His blog documents all trending issues, workarounds, and solutions directly from the engineering team.
CNEXT Supports Your Patching Operations
As experienced Microsoft SharePoint partners, we take over update management for your SPSE farm — including testing, rollout planning, PSConfig, and monitoring.
Request consultationSupported Server Versions
What is SharePoint Server On-Premises (Subscription Edition)?
SharePoint Server On-Premises (since 2021: SharePoint Server Subscription Edition) is the locally installed version of Microsoft SharePoint – without cloud dependency, on own hardware or in a private cloud. CNEXT operates, maintains and migrates SharePoint Server SE environments for Swiss organisations that cannot fulfil data sovereignty, compliance or specific integration requirements in SharePoint Online.
SharePoint Server Subscription Edition – current on-premises version without end-of-life and with annual feature updates
Microsoftof Swiss organisations with SharePoint still operate an on-premises or hybrid environment
CNEXT Kundendatentypical migration period from SharePoint 2016/2019 to SharePoint SE with CNEXT
CNEXT Projektdaten“SharePoint on-premises is not dead – it is the right choice for organisations with specific compliance, data localisation or integration requirements. We support Swiss organisations with SharePoint Server SE just as intensively as cloud customers.”
Marcel Haas— CEO & Solution Architect, CNEXT
SharePoint On-Premises Articles
Our expert articles on SharePoint Server, Subscription Edition, and on-premises operations.
Your SharePoint On-Premises Partner in Switzerland
From patch strategy to rollout to ongoing operations — we support Swiss companies with everything related to SharePoint Server Subscription Edition.