CVE-2026-47290 is a Microsoft Office use-after-free vulnerability that can lead to remote code execution. Microsoft rates it CVSS v3.1 base 7.8 (High) and temporal 6.8; the vector is local attack vector, low attack complexity, no privileges required, and user interaction required. The issue is not publicly disclosed and is not reported as exploited. Because exploitation requires a user to open a malicious Office file, it is phishing-related, but the local attack vector means it is less relevant to network-exposed services than remote/network vulnerabilities. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Remote Code Execution with HIGH confidentiality, integrity, and availability impacts. - Exploitation likelihood: Exploitation Less Likely; vector is LOCAL with LOW attack complexity, NO privileges required, and UI required. - Severity for enterprise: High severity as a client-side Office code execution issue, but lower enterprise exposure than network-based vulnerabilities because exploitation depends on local execution and user interaction. - Patch status: available; customer action required. Affected systems: - No products listed in product_tree.