THE U.S. Cybersecurity and Infrastructure Security Agency has added two flaws to its Known Exploited Vulnerabilities catalog: CVE-2009-0238, a Microsoft Office Remote Code Execution vulnerability affecting multiple versions of Excel, and CVE-2026-32201, a Microsoft SharePoint Server input validation flaw with a spoofing (potentially linked to cross-site scripting) impact.
CVE-2009-0238 carries a CVSS score of 9.3 and was historically exploited in the wild in February 2009, notably by the Trojan.Mdropper[.]AC malware. CVE-2026-32201 has a CVSS score of 6.5 and is described as a spoofing vulnerability that could allow attackers to view or modify exposed information.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, agencies are required to address these vulnerabilities by the due date to protect their networks, and CISA has ordered federal agencies to patch them by 28 April 2026. Private organisations are advised to review the KEV catalog and prioritise testing and remediation of the affected infrastructure.