By Jessica Lyons
Publication Date: 2026-03-10 20:35:00
After a whopper of a Patch Tuesday last month, with six Microsoft flaws exploited as zero-days, March didn’t exactly roar in like a lion. Just two of the 83 Microsoft CVEs released on Tuesday are listed as publicly known, and none is under active exploitation, which we’re sure is a welcome change to sysadmins.
Another eight of the 83 Microsoft CVEs are considered critical, and one of these – to quote Zero Day Initiative chief bug hunter Dustin Childs – is “fascinating.” Plus, it’s got an AI-attack component, so we’re going to start with it.
CVE-2026-26144 is a critical-severity information disclosure vulnerability in Microsoft Excel. This cross-site scripting flaw can be exploited to “cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack,” Redmond warned.
Yes, you read that right: a zero-click bug that weaponizes an Excel spreadsheet…
