Untrusted Search Path Vulnerability in Microsoft Office
CVE-2026-20943

7HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Sharepoint Server 2019; Microsoft Office 2016; Microsoft Sharepoint Enterprise Server 2016; Microsoft Sharepoint Server Subscription Edition
Vendor: CVE Published:; 13 January 2026

What is CVE-2026-20943?

The untrusted search path vulnerability in Microsoft Office presents a significant security risk by enabling unauthorized attackers to execute code on affected systems. This flaw allows an attacker to manipulate the search path used by the application, leading to the execution of malicious code without user consent, potentially compromising the system's integrity. Organizations using vulnerable versions of Microsoft Office should prioritize applying the latest security patches to mitigate risk and protect sensitive information.

Affected Version(s)

Microsoft Office 2016 32-bit Systems 16.0.0 < 16.0.5535.1000

Microsoft Office Deployment Tool 1.0 < 16.0.19426.20170

Microsoft SharePoint Enterprise Server 2016 x64-based Systems 16.0.0 < 16.0.5535.1001

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 13, 2026
Vulnerability Reserved
Dec 4, 2025

JSON