U.S. CISA adds Microsoft SharePoint Server, and Microsoft Office Excel flaws to its Known Exploited Vulnerabilities catalog
April 15, 2026 
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft SharePoint Server, and Microsoft Office Excel flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability
- CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability
The first vulnerability added, tracked as CVE-2009-0238 (CVSS score of 9.3), affects multiple versions of Microsoft Excel and related viewers. It is triggered when a user opens a specially crafted Excel file that causes the application to access an invalid object in memory. This leads to memory corruption, allowing a remote attacker to execute arbitrary code on the affected system with the privileges of the user.
The vulnerability was actively exploited in the wild in February 2009, notably by the Trojan.Mdropper.AC malware, making it a significant real-world threat at the time.
The second flaw added to the catalog, tracked as CVE-2026-32201, is a critical SharePoint zero-day actively exploited in attacks in the wild, as reported by Microsoft.
CVE-2026-32201 (CVSS score of 6.5) is a spoofing vulnerability in Microsoft SharePoint Server, likely related to cross-site scripting (XSS). While details are limited, it could allow attackers to view or modify exposed information. Microsoft has not disclosed how widespread exploitation is, but given the potential impact, organizations, especially those with internet-facing SharePoint servers—should prioritize testing and applying the patch quickly.
“Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.” reads the advisory. “An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).” “Exploitation Detected”
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by April 28, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
Stephan is the sports journalist for the Maple Grove Report.
