Skip to main content

365 Apps CVE-2026-21509

HIGH
Reliance on Untrusted Inputs in a Security Decision (CWE-807)
2026-01-26 secure@microsoft.com
7.8
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from Vendor (microsoft) · only source for this CVE.

CVSS VectorVendor: microsoft

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:00 vuln.today
Added to CISA KEV
Feb 11, 2026 - 15:40 cisa
CISA KEV
CIRCL Exploitation Confirmed
Feb 11, 2026 - 15:40 circl
CIRCL KEV
CVE Published
Jan 26, 2026 - 18:16 nvd
HIGH 7.8

DescriptionCVE.org

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

AnalysisAI

Microsoft Office contains a security feature bypass (CVE-2026-21509, CVSS 7.8) where reliance on untrusted inputs in security decisions allows local attackers to bypass protections designed to prevent execution of malicious content. KEV-listed with EPSS 9.3%, this vulnerability enables attackers to circumvent Office security features like Protected View or macro restrictions through crafted documents.

Technical ContextAI

Office's security model uses metadata and file attributes to determine whether to apply security restrictions (Protected View, macro blocking, etc.). This vulnerability allows attackers to manipulate these inputs so that Office treats malicious documents as trusted, bypassing security features that would normally prevent code execution. This is a common technique in the attack chain: first bypass protections, then exploit a separate vulnerability for code execution.

RemediationAI

Apply Microsoft security update immediately. Enforce Attack Surface Reduction (ASR) rules for Office. Block macros from internet-sourced documents via Group Policy. Enable Protected View for all external documents. User awareness training on document-based threats.

CVE-2026-21514 HIGH
7.8 Feb 10

Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted input

CVE-2024-21413 CRITICAL POC
9.8 Feb 13

Microsoft Outlook Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotel

CVE-2025-47957 HIGH POC
8.4 Jun 10

Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary

CVE-2022-41106 HIGH
8.8 Nov 09

Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2023-33148 HIGH POC
7.8 Jul 11

Microsoft Office Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack

CVE-2025-27751 HIGH POC
7.8 Apr 08

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (C

CVE-2025-47165 HIGH POC
7.8 Jun 10

Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). A

CVE-2025-47175 HIGH POC
7.8 Jun 10

Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arb

CVE-2023-36041 HIGH POC
7.8 Nov 14

Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica

CVE-2023-28311 HIGH POC
7.8 Apr 11

Microsoft Word Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authenticat

CVE-2023-28285 HIGH POC
7.8 Apr 11

Microsoft Office Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentic

CVE-2023-23399 HIGH POC
7.8 Mar 14

Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica

Share

CVE-2026-21509 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy