CVE-2026-26144

Microsoft Office Excel and Affected Versions Microsoft Office Excel versions prior to the March 2026 Patch Tuesday update

Description A critical issue exists in Microsoft Excel related to the improper handling of input during web page generation, specifically a cross-site scripting (XSS) flaw. This allows an unauthorized attacker to potentially disclose information over a network. The vulnerability is particularly concerning because it can be weaponized through Microsoft Copilot Agent, enabling silent data exfiltration without any user interaction or warnings. The issue arises because Copilot Agent automatically processes workbooks, utilizing the user's credentials and potentially sending data to an attacker-controlled endpoint. The vulnerability can be triggered simply by previewing a file, such as in Outlook. This flaw highlights a broader pattern of security concerns with AI agents, where insufficient execution boundaries can lead to unintended data exposure. The root cause is the lack of enforcement of execution boundaries at the point of action, resulting in what is termed 'ambient authority'. The vulnerability does not require malware and can expose sensitive data like financial spreadsheets, internal reports, and other business data handled by Copilot.

Recommendations Apply the March 2026 Patch Tuesday update to address this vulnerability.