CVE-2026-26144: Microsoft Excel Information Disclosure Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Mar

Released

2026-03-10

EPSS Score

0.10% (percentile: 26.4%)

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.

FAQ

Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling zero-click information disclosure attack

Affected Products (2)

Microsoft Office

• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft 365 Apps for Enterprise for 32-bit Systems

Acknowledgments

Anonymous

Revision History

• 2026-03-10: Information published.