CVE-2026-26144 is a cross-site scripting (CWE-79) vulnerability found in Microsoft 365 Apps for Enterprise, specifically in Microsoft Excel version 16.0.1. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages within the application. This flaw allows an attacker to inject malicious scripts that execute in the context of the victim's session, leading to unauthorized disclosure of sensitive information over the network. The CVSS v3.1 base score is 7.5, indicating a high severity level. The attack vector is network-based (AV:N), requiring no privileges (PR:N) and no user interaction (UI:N), which increases the risk of exploitation. The scope is unchanged (S:U), and the impact is primarily on confidentiality (C:H), with no impact on integrity or availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to its ease of exploitation and potential to leak sensitive data. The vulnerability was reserved in February 2026 and published in March 2026. No patches or mitigations have been linked yet, but Microsoft is the vendor responsible for addressing this issue.

The primary impact of CVE-2026-26144 is unauthorized disclosure of sensitive information, which can compromise confidentiality within affected organizations. Since the vulnerability allows remote exploitation without authentication or user interaction, attackers can potentially target a wide range of users running the vulnerable Microsoft Excel version. This could lead to leakage of corporate data, intellectual property, or personally identifiable information (PII). The absence of impact on integrity and availability means the threat is focused on data confidentiality rather than system disruption or data manipulation. Organizations relying heavily on Microsoft 365 Apps for Enterprise, especially Excel, are at risk of data breaches that could result in regulatory penalties, reputational damage, and financial losses. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

Organizations should monitor Microsoft’s official channels for patches addressing CVE-2026-26144 and apply updates promptly once released. In the interim, implement strict input validation and sanitization controls on any data imported into or processed by Microsoft Excel to reduce the risk of malicious script injection. Employ Content Security Policy (CSP) headers where applicable to limit the execution of unauthorized scripts. Restrict network access to Microsoft 365 services using firewalls and network segmentation to reduce exposure. Educate users about the risks of opening untrusted Excel files and encourage the use of protected view modes. Additionally, consider deploying endpoint detection and response (EDR) solutions capable of identifying suspicious script execution behaviors. Regularly audit and monitor logs for unusual activity related to Microsoft 365 Apps to detect potential exploitation attempts early.