JVNDB-2026-000013

Multiple Microsoft Office products vulnerable to untrusted search path

Multiple Microsoft Office products contain the following vulnerability.

• Untrusted search path (CWE-426, - CVE-2026-20943

Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Microsoft Corporation

• Microsoft Office (64-bit edition) vertsions 16.0.0 to 16.0.5535.1000
• Microsoft Office (32-bit edition) vertsions 16.0.0 to 16.0.5535.1000
• Microsoft SharePoint Enterprise Server 2016 vertsions 16.0.0 to 16.0.5535.1001
• Microsoft SharePoint Server Subscription Edition vertsions 16.0.0 to 16.0.19127.20442
• Microsoft SharePoint Server 2019 vertsions 16.0.0 to 16.0.10417.20083
• Office Deployment Tool vertsions 1.0 to 16.0.19426.20170

Arbitrary code may be executed by a local attacker without authentication.

[Update the Software]
Update the software to the latest version according to the information provided by the developer.

Microsoft Corporation

• Microsoft : CVE-2026-20943 - Security Update Guide - Microsoft - Microsoft Office Click-To-Run Remote Code Execution Vulnerability

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2026-20943

1. JVN : JVN#04984838

• [2026/02/02]
    Web page was published