Actively exploited in the wild
Microsoft Office Security Feature Bypass Vulnerability
Microsoft — Office · Listed in the CISA KEV since 2026-01-26. This indicates confirmed attacks in production environments.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2026-21509
HighCVSS 7.8KEVExploitation Probability (EPSS)
Very high risk99th percentile — higher than 99% of all known CVEs
Summary
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.
Risk Assessment
The organization may be exposed to local attacks that could lead to unauthorized access to data or features in Microsoft Office.
Recommendation
It is recommended to review and strengthen input validation mechanisms in Microsoft Office applications and to regularly update the software.
Original NVD description (English source)
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

