365 Apps
CVE-2026-21514
HIGH
Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.
AnalysisAI
Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted inputs, allowing local attackers to bypass protections when opening malicious documents. KEV-listed, this vulnerability enables document-based attacks that circumvent Word's security features designed to protect users from malicious content.
Technical ContextAI
Word uses file metadata, Zone.Identifier, and other attributes to determine whether security restrictions should apply to a document. By manipulating these inputs, an attacker can cause Word to treat a malicious document as trusted, bypassing Protected View and other protective mechanisms. This is a security feature bypass that enables exploitation of other vulnerabilities or direct macro execution.
RemediationAI
Apply Microsoft security update. Block macros from internet-sourced documents via Group Policy. Enable ASR rules for Office applications. Implement email attachment sandboxing.
Microsoft Office contains a security feature bypass (CVE-2026-21509, CVSS 7.8) where reliance on untrusted inputs in sec
Microsoft Outlook Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary
Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl
Microsoft Office Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (C
Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). A
Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arb
Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica
Microsoft Word Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authenticat
Microsoft Office Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentic
Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica
Share
External POC / Exploit Code
Leaving vuln.today