Information disclosure in Microsoft products - CVE-2026-21260
Published: February 10, 2026
Vulnerability identifier: #VU122586
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-21260
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Microsoft SharePoint Server
Microsoft SharePoint Server Subscription Edition
Microsoft SharePoint Enterprise Server
Microsoft Office
Microsoft Outlook
Microsoft 365 Apps for Enterprise
Microsoft Office LTSC
Microsoft SharePoint Server
Microsoft SharePoint Server Subscription Edition
Microsoft SharePoint Enterprise Server
Microsoft Office
Microsoft Outlook
Microsoft 365 Apps for Enterprise
Microsoft Office LTSC
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in Microsoft Outlook. A remote attacker can use a specially crafted email and gain unauthorized access to sensitive information on the system.
How to mitigate CVE-2026-21260
Install updates from vendor's website.