HIGHCVE-2026-26144Published 2026-03-10Modified 2026-04-14CNA microsoft

CVE-2026-26144: Microsoft Excel Information Disclosure Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: https://aka.ms/OfficeSecurityReleases
Affected Products: 1

Fix available

https://aka.ms/OfficeSecurityReleases

Patch commits

Microsoft Excel Information Disclosure Vulnerability

Affected packages

Microsoft / Microsoft 365 Apps for Enterprise
< https://aka.ms/OfficeSecurityReleases (from 16.0.1)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

References

Microsoft Excel Information Disclosure Vulnerability

Metrics

Fix available