CVE-2026-26144: Excel XSS turns Copilot Agent into zero-click exfiltration tool
by Adam Bream
A zero-click XSS in Excel lets attackers instruct Copilot Agent to exfiltrate document contents to external servers. Microsoft patched CVE-2026-26144 on March 10, rating it Critical despite a CVSS 7.5 score.
Read more →