Microsoft has quietly patched three vulnerabilities in Office that deserve more attention than they usually get. Two of them can be triggered just by looking at a file. The third turns Excel and Copilot into a potential data leak.
Today’s “Patch Tuesday” has fixes for another 79 more security bugs in Windows, Office and other Microsoft wares.
Three of those caught our eye as both serious and Microsoft Office related.
The Preview Pane Problem x 2
These two flaws affect Microsoft Office broadly, and they share a particularly uncomfortable trait: you do not have to open a file to be attacked.
Both vulnerabilities can be exploited through the Preview Pane in Windows Explorer or Outlook. That means an attacker only needs to get a malicious Office file in front of you. If you click it once to preview it, the attack can run. No double-click required. No macros to enable. No prompts to dismiss.
This matters because most people treat the Preview Pane as a safe way to “peek” at a file before opening it. These security bugs are a reminder that previewing is still an action and acting in any way on untrusted files carries risk.
Microsoft has rated both vulnerabilities as Important, meaning exploitation is considered likely even if no active attacks have been confirmed publicly yet.
Apply the March 2026 Patch Tuesday updates immediately if you have not already or the software hasn’t done it for you.
All supported versions of Office are affected from Office 2016 to Office 2024 plus Microsoft 365 apps – Windows and Mac. Also Office for Android.
References:
CVE-2026-26110
Microsoft Office Remote Code Execution Vulnerability“Access of resource using incompatible type (‘type confusion’) in Microsoft Office allows an unauthorized attacker to execute code locally.”
CVE-2026-26113
Microsoft Office Remote Code Execution Vulnerability
“Untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally.”
The Excel and Copilot Data Leak
This one is different in nature but arguably more alarming in scope. It’s called an information disclosure flaw in Microsoft Excel combined with Copilot.
Microsoft says “An attacker who successfully exploited this vulnerability could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling zero-click information disclosure attack,”
On its own, ‘information disclosure’ or ‘exfiltrate data’ sounds dry. In practice it means an attacker could craft a workbook that silently exposes data from your system or session without triggering obvious warnings.
This vulnerability stands out is the attack chain it enables. Microsoft Copilot integration in Excel creates a pathway for that exposed data to be exfiltrated, meaning sent out of your environment entirely. Copilot’s ability to read spreadsheet content and interact with external services makes it a convenient exit route for data that should never leave your machine.
Only Microsoft 365 apps for Windows are affected.
CVE-2026-26144
Microsoft Excel Information Disclosure Vulnerability
“Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.”
