CVE-2026-26144

Published Mar 10, 2026

Last updated a day ago

CVSS high 7.5

Overview

Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
Source
secure@microsoft.com
NVD status
Analyzed
Products
365_apps

Risk scores

CVSS 3.1

Type
Primary
Base score
4.7
Impact score
1.4
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

secure@microsoft.com
CWE-79

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally.CVE-2026-26113
  2. Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.CVE-2026-26112
  3. Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.CVE-2026-26110
  4. Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.CVE-2026-26109
  5. Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.CVE-2026-26108

References

Sources include official advisories and independent security research.