Agents
CVE-2026-26144: Microsoft Excel XSS Chains to Copilot Agent for Silent, Clickless Spreadsheet Data Exfiltration
Microsoft's April 2026 Patch Tuesday (163 CVEs) includes CVE-2026-26144, a cross-site scripting flaw in Excel that chains directly to the Copilot Agent integration, enabling silent exfiltration of spreadsheet data to attacker-controlled endpoints without user interaction. This is one of the first documented attack chains where a traditional web vulnerability (XSS) is weaponized specifically to exploit an AI agent integration, representing a new class of agent-adjacent attack surface in enterprise productivity tools.
Source
↳ Follow the thread