365 Apps Microsoft 365 Apps

  1. Vendors
  2. Microsoft
  3. 365 Apps

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Microsoft 365 Apps.

By the Year

In 2026 there have been 51 vulnerabilities in Microsoft 365 Apps with an average score of 7.7 out of ten. Last year, in 2025 365 Apps had 154 security vulnerabilities published. Right now, 365 Apps is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.05.




Year Vulnerabilities Average Score
2026 51 7.75
2025 154 7.70
2024 42 7.69
2023 55 7.36
2022 46 7.26
2021 64 7.45
2020 54 7.30

It may take a day or so for new 365 Apps vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Microsoft 365 Apps Security Vulnerabilities

May 2026: Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-40420 8.8 - High - May 12, 2026

Improper access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

Authorization

May 2026: Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-35436 8.8 - High - May 12, 2026

Insufficient granularity of access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

Insufficient Granularity of Access Control

May 2026: Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-40418 7.8 - High - May 12, 2026

Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

Dangling pointer

May 2026: Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40367 8.4 - High - May 12, 2026

Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Untrusted Pointer Dereference

May 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-40362 7.8 - High - May 12, 2026

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Heap-based Buffer Overflow

May 2026: Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40361 8.4 - High - May 12, 2026

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Dangling pointer

May 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-40359 7.8 - High - May 12, 2026

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Dangling pointer

May 2026: Microsoft Office Remote Code Execution Vulnerability
CVE-2026-40358 8.4 - High - May 12, 2026

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Dangling pointer

May 2026: Microsoft Word Information Disclosure Vulnerability
CVE-2026-40421 4.3 - Medium - May 12, 2026

External control of file name or path in Microsoft Office Word allows an unauthorized attacker to disclose information over a network.

External Control of File Name or Path

May 2026: Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-40419 7.8 - High - May 12, 2026

Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.

Dangling pointer

May 2026: Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40366 8.4 - High - May 12, 2026

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Dangling pointer

May 2026: Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40364 8.4 - High - May 12, 2026

Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Object Type Confusion

May 2026: Microsoft Office Remote Code Execution Vulnerability
CVE-2026-40363 8.4 - High - May 12, 2026

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

Heap-based Buffer Overflow

May 2026: Microsoft Excel Information Disclosure Vulnerability
CVE-2026-40360 7.8 - High - May 12, 2026

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

Out-of-bounds Read

May 2026: Microsoft Word Information Disclosure Vulnerability
CVE-2026-35440 5.5 - Medium - May 12, 2026

Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

Files or Directories Accessible to External Parties

Apr 2026: Microsoft Word Remote Code Execution Vulnerability
CVE-2026-33115 8.4 - High - April 14, 2026

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Dangling pointer

Apr 2026: Microsoft Word Remote Code Execution Vulnerability
CVE-2026-33114 8.4 - High - April 14, 2026

Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Untrusted Pointer Dereference

Apr 2026: Microsoft PowerPoint Remote Code Execution Vulnerability
CVE-2026-32200 7.8 - High - April 14, 2026

Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.

Dangling pointer

Apr 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-32199 7.8 - High - April 14, 2026

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Dangling pointer

Apr 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-32198 7.8 - High - April 14, 2026

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Dangling pointer

Apr 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-32197 7.8 - High - April 14, 2026

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Dangling pointer

Apr 2026: Microsoft Office Remote Code Execution Vulnerability
CVE-2026-32190 8.4 - High - April 14, 2026

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Dangling pointer

Apr 2026: Microsoft Word Remote Code Execution Vulnerability
CVE-2026-23657 7.8 - High - April 14, 2026

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Dangling pointer

Apr 2026: Microsoft Word Information Disclosure Vulnerability
CVE-2026-33822 6.1 - Medium - April 14, 2026

Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

Out-of-bounds Read

Apr 2026: Microsoft Word Remote Code Execution Vulnerability
CVE-2026-33095 7.8 - High - April 14, 2026

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Dangling pointer

Apr 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-32189 7.8 - High - April 14, 2026

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Dangling pointer

Apr 2026: Microsoft Excel Information Disclosure Vulnerability
CVE-2026-32188 7.1 - High - April 14, 2026

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

Out-of-bounds Read

Mar 2026: Microsoft Excel Information Disclosure Vulnerability
CVE-2026-26144 7.5 - High - March 10, 2026

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.

XSS

Mar 2026: Microsoft Office Remote Code Execution Vulnerability
CVE-2026-26110 8.4 - High - March 10, 2026

Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

Object Type Confusion

Mar 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-26109 8.4 - High - March 10, 2026

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Out-of-bounds Read

Mar 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-26108 7.8 - High - March 10, 2026

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Heap-based Buffer Overflow

Mar 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-26107 7.8 - High - March 10, 2026

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Dangling pointer

Mar 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-26112 7.8 - High - March 10, 2026

Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Untrusted Pointer Dereference

Mar 2026: Microsoft Office Remote Code Execution Vulnerability
CVE-2026-26113 8.4 - High - March 10, 2026

Untrusted pointer dereference in Microsoft Office allows an unauthorized attacker to execute code locally.

Untrusted Pointer Dereference

Feb 2026: Microsoft Excel Information Disclosure Vulnerability
CVE-2026-21261 5.5 - Medium - February 10, 2026

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

Out-of-bounds Read

Feb 2026: Microsoft Outlook Spoofing Vulnerability
CVE-2026-21511 7.5 - High - February 10, 2026

Deserialization of untrusted data in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.

Marshaling, Unmarshaling

Feb 2026: Microsoft Word Security Feature Bypass Vulnerability
CVE-2026-21514 7.8 - High - February 10, 2026

Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.

Reliance on Untrusted Inputs in a Security Decision

Feb 2026: Microsoft Outlook Spoofing Vulnerability
CVE-2026-21260 7.5 - High - February 10, 2026

Exposure of sensitive information to an unauthorized actor in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.

Information Disclosure

Feb 2026: Microsoft Excel Information Disclosure Vulnerability
CVE-2026-21258 5.5 - Medium - February 10, 2026

Improper input validation in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

Improper Input Validation

Feb 2026: Microsoft Excel Elevation of Privilege Vulnerability
CVE-2026-21259 7.8 - High - February 10, 2026

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to elevate privileges locally.

Heap-based Buffer Overflow

Jan 2026: Microsoft Office Security Feature Bypass Vulnerability
CVE-2026-21509 7.8 - High - January 26, 2026

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.

Reliance on Untrusted Inputs in a Security Decision

Jan 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-20957 7.8 - High - January 13, 2026

Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Integer underflow

Jan 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-20950 7.8 - High - January 13, 2026

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Dangling pointer

Jan 2026: Microsoft Office Remote Code Execution Vulnerability
CVE-2026-20952 8.4 - High - January 13, 2026

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Dangling pointer

Jan 2026: Microsoft Word Remote Code Execution Vulnerability
CVE-2026-20948 7.8 - High - January 13, 2026

Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.

Untrusted Pointer Dereference

Jan 2026: Microsoft Excel Security Feature Bypass Vulnerability
CVE-2026-20949 7.8 - High - January 13, 2026

Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.

Authorization

Jan 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-20956 7.8 - High - January 13, 2026

Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Untrusted Pointer Dereference

Jan 2026: Microsoft Office Remote Code Execution Vulnerability
CVE-2026-20953 8.4 - High - January 13, 2026

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Dangling pointer

Jan 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-20955 7.8 - High - January 13, 2026

Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Untrusted Pointer Dereference

Jan 2026: Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-20946 7.8 - High - January 13, 2026

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Out-of-bounds Read

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Microsoft 365 Apps or by Microsoft? Click the Watch button to subscribe.

Microsoft
Vendor

Microsoft 365 Apps
Product

subscribe