Important: If your current farm patch level is September 2025 CU, remove the NT Authority\system account from WSS_WPG and IIS_IUSRS local security groups of the SharePoint machines – otherwise installing the SharePoint fixes will fail.
For more details check this article: Trending Issue: SharePoint fixes fail to install after installation of September 2025 CU
Below are the security fixes for the SharePoint OnPrem versions released this month.
SharePoint Server 2016:
- KB 5002841 – SharePoint Server 2016 (language independent)
- KB 5002840 – SharePoint Server 2016 (language dependent)
Microsoft Support recommends to install the complete February 2026 CU for SharePoint 2016 rather than individual security fixes.
SharePoint Server 2019:
- KB 5002834 – SharePoint Server 2019 (language independent)
- KB 5002836 – SharePoint Server 2019 (language dependent)
Microsoft Support recommends to install the complete February 2026 CU for SharePoint 2019 rather than individual security fixes.
SharePoint Server Subscription Edition:
- KB 5002833 – SharePoint Server Subscription Edition
This security fix is identical with February 2026 CU for SharePoint Server Subscription Edition.
Office Online Server:
- KB 5002835 – Office Online Server
More information:
Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.
Security Vulnerabilities fixed in this PU
| Vulnerability | SP 2016 | SP 2019 | SP SE | OOS | Impact | Max Severity |
|---|---|---|---|---|---|---|
| CVE-2026-21258 | x | Information Disclosure | Important | |||
| CVE-2026-21259 | x | Elevation of Privilege | Important | |||
| CVE-2026-21260 | x | x | x | Spoofing | Important | |
| CVE-2026-21261 | x | Information Disclosure | Important | |||
| CVE-2026-21511 | x | x | x | Spoofing | Important |
See the Security Update Guide below for more details about the relevant fixes: