Microsoft patched CVE-2026-26144, a cross-site scripting flaw in Excel that chains to Copilot Agent and enables silent, clickless exfiltration of spreadsheet data to attacker-controlled endpoints. This incident signals a new class of AI‑amplified exploits that demand stricter egress controls, distinct monitoring for AI-initiated activity, and updated vulnerability prioritization. #CVE-2026-26144 #CopilotAgent
Keypoints
- An XSS in Excel (CVE-2026-26144) executes on file open without user interaction.
- The flaw chains to Copilot Agent, allowing silent exfiltration of spreadsheet data to external endpoints.
- AI agents amplify traditional vulnerabilities by performing autonomous actions with the application’s access.
- Mitigations include patching, blocking outbound traffic from AI-enabled apps, and separating AI-initiated network activity in monitoring and DLP.
- Organizations must reassess assistant permissions and reprioritize vulnerabilities in AI-enabled applications to account for privilege amplification.
Read More: https://www.darkreading.com/vulnerabilities-threats/every-old-vulnerability-ai-vulnerability