CVE-2026-40421 MEDIUM

CVE-2026-40421: Microsoft Word Information Disclosure Vulnerability

Vendor Microsoft
Product Microsoft 365 Apps for Enterprise
Weakness CWE-73
Published May 12, 2026
Last update June 9, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

What the vulnerability does

01Description

Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
June 9, 2026 Record updated