Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
Published: 2026-03-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

This vulnerability stems from improper neutralization of user input when generating web pages within Microsoft Excel, resulting in a cross‑site scripting (CWE‑79) flaw that can expose sensitive data to an unauthorized network attacker. The weakness allows malicious code to be injected into Excel’s web‑display context, potentially leaking confidential information. The impact is therefore focused on confidentiality breach rather than code execution or service disruption.

Affected Systems

Affected products include Microsoft 365 Apps for Enterprise. No specific affected version numbers are listed in the provided data. The vulnerability is therefore presumed to apply to any current or legacy releases of the suite until a mitigating update is installed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact. EPSS indicates the probability of exploitation is below 1%, suggesting a low likelihood of widespread attacks at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, where an attacker supplies a crafted Excel file or embedded web content that triggers the XSS when the workbook is opened over a network. No additional exploitation conditions are mentioned in the data.

Generated by OpenCVE AI on March 16, 2026 at 23:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for Microsoft 365 Apps for Enterprise that addresses CVE-2026‑26144
  • Verify that the patch is installed on all affected systems
  • If no update is available yet, monitor Microsoft’s advisory for future releases and avoid embedding untrusted content in Excel workbooks

Generated by OpenCVE AI on March 16, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
Title Microsoft Excel Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:33:19.910Z

Reserved: 2026-02-11T16:24:51.134Z

Link: CVE-2026-26144

cve-icon Vulnrichment

Updated: 2026-03-11T14:57:40.626Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:43.110

Modified: 2026-03-13T17:02:42.510

Link: CVE-2026-26144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:33:59Z

Weaknesses