May 2026: Microsoft Word Information Disclosure Vulnerability
CVE-2026-40421 Published on May 12, 2026

Microsoft Word Information Disclosure Vulnerability
External control of file name or path in Microsoft Office Word allows an unauthorized attacker to disclose information over a network.

Vendor Advisory NVD

Weakness Type

External Control of File Name or Path

The software allows user input to control or influence paths or file names that are used in filesystem operations.

Products Associated with CVE-2026-40421

Want to know whenever a new CVE is published for Microsoft products? stack.watch will email you.

Microsoft Office 2019

Microsoft 365 Apps

Microsoft Office 2021

Microsoft Office 2024

Microsoft Word 2016

Affected Versions

Microsoft 365 Apps for Enterprise:

Version 16.0.1 and below https://aka.ms/OfficeSecurityReleases is affected.

Microsoft Office 2019:

Version 19.0.0 and below https://aka.ms/OfficeSecurityReleases is affected.

Microsoft Office LTSC 2021:

Version 16.0.1 and below https://aka.ms/OfficeSecurityReleases is affected.

Microsoft Office LTSC 2024:

Version 16.0.0 and below https://aka.ms/OfficeSecurityReleases is affected.

Microsoft Word 2016:

Version 16.0.1 and below 16.0.5552.1000 is affected.

May 2026: Microsoft Word Information Disclosure VulnerabilityCVE-2026-40421 Published on May 12, 2026

Weakness Type

External Control of File Name or Path

Products Associated with CVE-2026-40421

Affected Versions

May 2026: Microsoft Word Information Disclosure Vulnerability
CVE-2026-40421 Published on May 12, 2026