What is CVE-2026-40421?

CVE-2026-40421 is a medium-severity vulnerability in Microsoft 365_apps, classified under External Control of File Name or Path. CVSS score: 4.3/10. Published 2026-05-12.

How severe is CVE-2026-40421?

Medium severity. CVSS v3 base score is 4.3 out of 10.

Vulnerability in Microsoft 365_apps

CVE-2026-40421

Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

EPSS: 0.001 (16.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N.

Affected products

Microsoft 365_apps
Microsoft 365 Apps For Enterprise — versions 16.0.1
Microsoft Office 2019 — versions 19.0.0
Microsoft Office Ltsc 2021 — versions 16.0.1
Microsoft Office Ltsc 2024 — versions 16.0.0
Microsoft Word 2016 — versions 16.0.1
Microsoft Office — versions 2019, 2021, 2024
Microsoft Office_long_term_servicing_channel — versions 2021
Microsoft Word — versions 2016

Weakness classification (CWE)

CWE-73 — External Control of File Name or Path

References

secure@microsoft.com (vendor-advisory, patch, Vendor Advisory)

Frequently asked questions

What is CVE-2026-40421?: CVE-2026-40421 is a medium-severity vulnerability in Microsoft 365_apps, classified under External Control of File Name or Path. CVSS score: 4.3/10. Published 2026-05-12.
How severe is CVE-2026-40421?: Medium severity. CVSS v3 base score is 4.3 out of 10.