CVE-2026-26144

CWE-79 — Cross-site Scripting (XSS)7 documents6 sources

Severity

4.7MEDIUM

EPSS

0.1%

top 71.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Microsoft 365 Apps FOR Enterprise

Timeline

PublishedMar 10

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶CVEListV5microsoft/microsoft_365_apps_for_enterprise16.0.1 — https://aka.ms/OfficeSecurityReleases

🔴Vulnerability Details

GHSA

GHSA-39m5-6xwx-6qjf: Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disc↗2026-03-10

▶

CVEList

Microsoft Excel Information Disclosure Vulnerability↗2026-03-10

▶

📋Vendor Advisories

Microsoft

Microsoft Excel Information Disclosure Vulnerability↗2026-03-10

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26144 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶