Back to KEVs

CVE-2026-21509

Microsoft Office Security Feature Bypass Vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
December 30, 2025
Published Date
January 26, 2026
Last Updated
April 01, 2026
Vendor
Microsoft
Product
Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024
Description
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.
Tags
cisa

CVSS Scores

CVSS v3.1

7.8 - HIGH

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 10:49:49 UTC) Source
Proof of Concept Available
Yes (added 2026-01-27 12:03:20 UTC) Source

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:49:49 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

kimstars/Ashwesker-CVE-2026-21509

Type: github • Created: 2026-01-27 12:03:20 UTC • Stars: 10

CVE-2026-21509

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Added to KEVIntel