365 Apps
CVE-2026-26144
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
AnalysisAI
Information disclosure in Microsoft 365 Apps Excel allows unauthenticated remote attackers to extract sensitive data through stored cross-site scripting attacks in generated web content. The vulnerability requires no user interaction and affects all Excel users who process untrusted documents. No patch is currently available, leaving users dependent on mitigation strategies until Microsoft releases a fix.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Microsoft Office contains a security feature bypass (CVE-2026-21509, CVSS 7.8) where reliance on untrusted inputs in sec
Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted input
Microsoft Outlook Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Use-after-free vulnerability in Microsoft Office Word that allows local, unauthenticated attackers to execute arbitrary
Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl
Microsoft Office Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. Rated high severity (C
Use-after-free vulnerability in Microsoft Office Excel that allows local code execution with high severity (CVSS 7.8). A
Use-after-free vulnerability in Microsoft Office PowerPoint that allows an unauthenticated local attacker to execute arb
Microsoft Excel Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica
Microsoft Word Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authenticat
Microsoft Office Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentic
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today