CVE-2026-26144 (CVSS 7.5, Critical) is a cross-site scripting (XSS) vulnerability in Microsoft Excel caused by improper input neutralization during web page generation (CWE-79).
When chained with Copilot Agent mode, the XSS triggers unintended network egress — exfiltrating spreadsheet data without any user interaction or click.
ZDI chief bug hunter Dustin Childs called it "fascinating" and warned it's "an attack scenario we're likely to see more often" — combining classic XSS with indirect prompt injection against AI agents.
The vulnerability requires network access but no privileges and no user interaction (zero-click), making it dangerous in corporate environments where Excel files contain financial data, IP, and operational records.
Microsoft's advisory explicitly states the bug can "cause Copilot Agent mode to exfiltrate data via unintended network egress" — a direct weaponization of an AI agent as an attack primitive.
Action1 CEO Alex Vovk warned that information disclosure is especially dangerous in corporate environments where Excel files often contain sensitive financial and strategic data.
Patched in the March 2026 Patch Tuesday alongside 82 other CVEs; two zero-days were also disclosed but not under active exploitation.
Why it matters
This is one of the first documented weaponizations of an AI agent (Copilot) as an exfiltration channel via a traditional web vulnerability — a hybrid attack pattern blurring the line between XSS and prompt injection.
AI agents with network access and auto-processing capabilities (like Copilot in Excel) amplify classic vulns — what was once a stored XSS becomes a zero-click data theft pipeline.
Defenders must now consider AI agent permissions as part of the blast radius when assessing Office and productivity-suite vulnerabilities.
What to do
Patch immediately — apply the March 2026 cumulative update for Microsoft Office/Excel.
Restrict outbound network traffic from Office applications via firewall rules or proxy policies.
Monitor for unusual network requests generated by Excel processes (especially to non-standard destinations).
Disable or limit Copilot Agent in high-sensitivity environments until the fix is deployed.