ELEVATED 3 min read 13 May 2026

Microsoft Patch Tuesday, SharePoint and Word RCEs Set the 13 May Patch Queue

Microsoft’s May 2026 Patch Tuesday is today’s lead because The 13 May source materials reports 120 fixes and active exploitation somewhere in the wider release. The named SharePoint, Word and Azure Logic Apps CVEs should drive immediate inventory and patch checks, but exploitation is not attributed to those specific CVEs in the source material.

Key findings
01
Finding: Microsoft SharePoint Server CVE-2026-40365 and CVE-2026-33110 require priority checks
HIGH
[High] MSRC entries in the 13 May intake list two SharePoint Server remote-code-execution vulnerabilities, CVE-2026-40365 and CVE-2026-33110. The intake records CVE-2026-40365 with CVSS 8.8 and marks active exploitation as no for the SharePoint finding.
CVE-2026-40365
02
Finding: Azure Logic Apps CVE-2026-42823 adds cloud privilege risk
HIGH
[High] Microsoft source material lists CVE-2026-42823 as an Azure Logic Apps elevation-of-privilege vulnerability with CVSS 7.8 and no active exploitation indicated for that specific CVE.
CVE-2026-42823
03
Finding: Microsoft Word CVE-2026-40366 keeps endpoint patching in scope
HIGH
[High] MSRC lists CVE-2026-40366 as a Microsoft Word remote-code-execution vulnerability. The intake records CVSS 7.8 and marks active exploitation as no for this item.
CVE-2026-40366
04
Finding: Microsoft May 2026 Patch Tuesday gives teams a broad patch window
MEDIUM
[Medium] The 13 May source materials includes BleepingComputer reporting that Microsoft’s May 2026 Patch Tuesday fixes 120 flaws and says active exploitation is confirmed somewhere in the release.
05
Update: Red Hat Enterprise Linux libsoup advisories remain in the maintenance queue
MEDIUM
[Medium] BSI CERT-Bund updated WID-SEC-2026-0305 for Red Hat Enterprise Linux libsoup vulnerabilities including CVE-2026-0719 and CVE-2026-1761. The intake also lists WID-SEC-2025-2830 for libsoup CVE-2025-12105 denial of service.
CVE-2026-0719
06
Finding: Microsoft spoofing items sit behind the RCE and privilege work
LOW
[Low] The intake lists three lower-confidence Microsoft spoofing vulnerabilities: Azure Machine Learning Notebook CVE-2026-33833, M365 Copilot for Desktop CVE-2026-41614 and Microsoft 365 Copilot for Android CVE-2026-41100.
CVE-2026-33833

Microsoft Patch Tuesday, SharePoint and Word RCEs Set the 13 May Patch Queue

Finding: Microsoft May 2026 Patch Tuesday gives teams a broad patch window

Confidence: Medium

The 13 May source materials includes BleepingComputer reporting that Microsoft’s May 2026 Patch Tuesday fixes 120 flaws and says active exploitation is confirmed somewhere in the release. The same source line does not identify the exploited CVEs, so the right client-facing position is urgent patch management without claiming exploitation of the specific SharePoint, Word or Azure items listed below.

Put Microsoft patch review at the front of today’s queue. Security teams should confirm update coverage across servers, endpoints and cloud-connected Microsoft services, then watch for any follow-up vendor or community reporting that names exploited CVEs from the release.

Finding: Microsoft SharePoint Server CVE-2026-40365 and CVE-2026-33110 require priority checks

Confidence: High

MSRC entries in the 13 May intake list two SharePoint Server remote-code-execution vulnerabilities, CVE-2026-40365 and CVE-2026-33110. The intake records CVE-2026-40365 with CVSS 8.8 and marks active exploitation as no for the SharePoint finding.

SharePoint usually sits close to collaboration data and identity-backed workflows, so exposure matters. Organisations running SharePoint Server should identify affected instances, check whether the relevant updates are already installed, and prioritise externally reachable or high-trust deployments first.

Finding: Azure Logic Apps CVE-2026-42823 adds cloud privilege risk

Confidence: High

Microsoft source material lists CVE-2026-42823 as an Azure Logic Apps elevation-of-privilege vulnerability with CVSS 7.8 and no active exploitation indicated for that specific CVE. Put it near the top of the Azure review queue, especially where Logic Apps connects workflows, identities and service integrations.

Teams should confirm which subscriptions and workflows could be affected, then apply the relevant Microsoft guidance. If Logic Apps has privileged connectors or sensitive automation paths, treat those environments as higher priority.

Finding: Microsoft Word CVE-2026-40366 keeps endpoint patching in scope

Confidence: High

MSRC lists CVE-2026-40366 as a Microsoft Word remote-code-execution vulnerability. The intake records CVSS 7.8 and marks active exploitation as no for this item.

The operational risk is user-facing rather than server-side. Endpoint and productivity teams should confirm Office update deployment, prioritise users who regularly handle external documents, and keep mail and document-handling controls aligned with the patch rollout.

Finding: Microsoft spoofing items sit behind the RCE and privilege work

Confidence: Low

The intake lists three lower-confidence Microsoft spoofing vulnerabilities: Azure Machine Learning Notebook CVE-2026-33833, M365 Copilot for Desktop CVE-2026-41614 and Microsoft 365 Copilot for Android CVE-2026-41100. Each is marked CVSS 6.5, with no active exploitation indicated in the source material.

These should not displace the SharePoint, Word or Azure Logic Apps work. Still, give them an owner where Copilot or Azure Machine Learning is deployed to users handling sensitive data or privileged workflows.

Update: Red Hat Enterprise Linux libsoup advisories remain in the maintenance queue

Confidence: Medium

BSI CERT-Bund updated WID-SEC-2026-0305 for Red Hat Enterprise Linux libsoup vulnerabilities including CVE-2026-0719 and CVE-2026-1761. The intake also lists WID-SEC-2025-2830 for libsoup CVE-2025-12105 denial of service. The source material notes that BSI CVSS values are not explicitly provided, so severity language should stay measured.

RHEL owners should check affected packages and schedule updates according to exposure and service criticality. These advisories matter, but today’s highest urgency remains the Microsoft patch queue.

Why This Matters

Today’s change is a shift from watchpoints to patch execution. The Microsoft release is broad, includes multiple high-impact items, and has some active exploitation reported somewhere in the wider set. That combination is enough to justify fast review, even though the source material does not tie exploitation to the named SharePoint, Word or Azure Logic Apps CVEs.

The wording matters. Overstating exploitation gives teams the wrong risk picture. Underplaying the patch window would be a mistake too.

  • Recommended Actions
  • Review Microsoft May 2026 Patch Tuesday coverage across servers, endpoints and cloud-connected services.
  • Prioritise SharePoint Server CVE-2026-40365 and CVE-2026-33110 for affected on-premise deployments.
  • Confirm Azure Logic Apps exposure to CVE-2026-42823, especially where workflows use privileged connectors.
  • Push Microsoft Word CVE-2026-40366 updates through endpoint patching for users handling external documents.
  • Assign owners for Azure Machine Learning Notebook CVE-2026-33833, M365 Copilot for Desktop CVE-2026-41614 and Microsoft 365 Copilot for Android CVE-2026-41100.
  • Queue Red Hat Enterprise Linux libsoup updates for CVE-2026-0719, CVE-2026-1761 and CVE-2025-12105 after the most exposed Microsoft systems are covered.

All findings grounded in a13e intelligence sweeps through 05:30 UTC 13 May 2026.

azurecve-2026-0719cve-2026-33110cve-2026-33833cve-2026-40365cve-2026-40366cve-2026-42823microsoftpatch-tuesdayrhel

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed