Microsoft released 83 security patches on Tuesday, including a critical Excel vulnerability that weaponizes the Copilot Agent for a zero-click information disclosure attack.
This update is smaller than the previous month’s release, which addressed six actively exploited zero-day vulnerabilities. None of the 83 new Common Vulnerabilities and Exposures (CVEs) listed in this release are currently under active exploitation.
CVE-2026-26144 is a critical-severity information disclosure vulnerability in Microsoft Excel. The cross-site scripting flaw allows an attacker to cause the Copilot Agent to exfiltrate data via unintended network egress. Microsoft stated that this vulnerability enables a zero-click attack with no user interaction required.
Dustin Childs, chief bug hunter at Zero Day Initiative, described the flaw as “fascinating.” Childs noted that this attack scenario is likely to become more common.
Alex Vovk, CEO and co-founder of Action1, highlighted the severity of this vulnerability in corporate settings. “Information disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records,” Vovk said. Vovk added that attackers could silently extract confidential information without triggering obvious alerts.
Two additional critical CVEs, CVE-2026-26110 and CVE-2026-26113, are Office remote code execution bugs. These flaws are triggerable via the Preview Pane, meaning a user does not need to fully open a malicious file for exploitation.
CVE-2026-26110 is a type confusion flaw in Microsoft Office. CVE-2026-26113 is caused by an untrusted pointer dereference flaw in Microsoft Office. Jack Bicer, director of vulnerability research at Action1, stated that when a simple document preview triggers code execution, attackers gain a doorway directly into the system.
Two CVEs are publicly known but not exploited at the time of disclosure. CVE-2026-26127 is an out-of-bounds read issue in .NET that allows for a network-based denial of service. Microsoft deems exploitation of this flaw unlikely.
CVE-2026-21262 is an improper access control vulnerability in SQL Server that allows an authorized attacker to elevate privileges over a network. Microsoft stated that this vulnerability is “less likely” to be exploited in the wild.
