Revision History

A critical cross-site scripting vulnerability in Microsoft Excel (CVE-2026-26144), patched in March 2026, can weaponize Copilot's Agent mode to silently exfiltrate corporate data in a zero-click attack. The bug is the latest in a pattern of AI assistant vulnerabilities — including EchoLeak and Reprompt — that exploit the fundamental tension between AI utility and security, turning the broad data access that makes tools like Copilot productive into a potent attack vector affecting enterprises worldwide.