CVE-2026-47294 high 8.0
8.0
microsoft 2d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-42899 high 7.5
7.5
FIX rhel macos linux-kernel microsoft 8d ago
Important: .NET 9.0 security update
CVE-2026-42827 medium 6.5
6.5
windows microsoft 12d ago
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVE-2026-35430 high 8.8
8.8
windows microsoft 12d ago
Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized attacker to elevate privileges over a network.
CVE-2026-26147 high 7.7
7.7
windows microsoft 12d ago
Improper input validation in Azure Compute Gallery allows an authorized attacker to disclose information over a network.
CVE-2026-23663 high 7.5
7.5
windows microsoft 12d ago
Improper privilege management in Azure Entra ID allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-45659 high 8.8
8.8
windows microsoft 12d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-45584 high 8.1
8.1
windows microsoft 15d ago
Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.
CVE-2026-42834 high 7.8
7.8
windows microsoft 15d ago
Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
CVE-2026-41091 high 7.8
9.3
KEV windows microsoft 15d ago
Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2026-45498 medium 4.0
5.5
KEV windows microsoft 15d ago
Microsoft Defender contains an unspecified vulnerability that allows for denial of service.
CVE-2026-45495 high 8.8
8.8
windows microsoft 16d ago
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
CVE-2026-45494 medium 5.4
5.4
windows microsoft 16d ago
Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVE-2026-45492 medium 5.4
5.4
windows microsoft 16d ago
Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-42897 high 8.1
9.6
KEV windows microsoft 20d ago
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be e…
CVE-2026-42893 high 7.4
7.4
windows microsoft 22d ago
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network.
CVE-2026-42891 medium 6.5
6.5
windows microsoft 22d ago
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-42838 medium 5.4
5.4
windows microsoft 22d ago
Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a netw…
CVE-2026-42832 high 7.7
7.7
windows microsoft 22d ago
Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.
CVE-2026-42831 high 7.8
7.8
windows microsoft 22d ago
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-42830 medium 6.5
6.5
windows microsoft 22d ago
Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-41614 medium 6.2
6.2
windows microsoft 22d ago
Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
CVE-2026-41613 high 8.8
8.8
windows microsoft 22d ago
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-41612 medium 5.5
5.5
windows microsoft 22d ago
Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.
CVE-2026-41611 high 7.8
7.8
windows microsoft 22d ago
Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.
CVE-2026-41610 medium 6.3
6.3
windows microsoft 22d ago
Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.
CVE-2026-41109 high 8.8
8.8
windows microsoft 22d ago
Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature ove…
CVE-2026-41107 high 7.4
7.4
windows microsoft 22d ago
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
CVE-2026-41102 high 7.1
7.1
windows microsoft 22d ago
Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.
CVE-2026-41101 high 7.1
7.1
windows microsoft 22d ago
Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.
CVE-2026-41100 medium 4.4
4.4
windows microsoft 22d ago
Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.
CVE-2026-41094 high 8.8
8.8
windows microsoft 22d ago
Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.
CVE-2026-41086 high 8.8
8.8
windows microsoft 22d ago
Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
CVE-2026-40421 medium 4.3
4.3
windows microsoft 22d ago
Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CVE-2026-40420 high 8.8
8.8
windows microsoft 22d ago
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-40419 high 7.8
7.8
windows microsoft 22d ago
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-40418 high 7.8
7.8
windows microsoft 22d ago
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-40417 high 7.8
7.8
windows microsoft 22d ago
Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
CVE-2026-40416 medium 4.3
4.3
windows microsoft 22d ago
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-40381 high 7.8
7.8
windows microsoft 22d ago
Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-40374 medium 6.5
6.5
windows microsoft 22d ago
Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network.
CVE-2026-40368 high 8.0
8.0
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-40367 high 8.4
8.4
windows microsoft 22d ago
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-40366 high 8.4
8.4
windows microsoft 22d ago
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-40365 high 8.8
8.8
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-40364 high 8.4
8.4
windows microsoft 22d ago
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-40363 high 8.4
8.4
windows microsoft 22d ago
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-40362 high 7.8
7.8
windows microsoft 22d ago
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-40361 high 8.4
8.4
windows microsoft 22d ago
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-40360 high 7.8
7.8
windows microsoft 22d ago
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
CVE-2026-40359 high 7.8
7.8
windows microsoft 22d ago
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-40358 high 8.4
8.4
windows microsoft 22d ago
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-40357 high 8.8
8.8
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-35440 medium 5.5
5.5
windows microsoft 22d ago
Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CVE-2026-35439 high 8.8
8.8
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-35438 high 8.3
8.3
windows microsoft 22d ago
Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
CVE-2026-35436 high 8.8
8.8
windows microsoft 22d ago
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-35429 medium 4.3
4.3
windows microsoft 22d ago
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-33833 high 8.2
8.2
windows microsoft 22d ago
Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-33821 high 7.7
7.7
windows microsoft 22d ago
Improper privilege management in Microsoft Dynamics 365 Customer Insights allows an authorized attacker to elevate privileges over a network.
CVE-2026-33112 high 8.8
8.8
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-33110 high 8.8
8.8
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-32204 high 7.8
7.8
windows microsoft 22d ago
External control of file name or path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-32185 medium 5.5
5.5
windows microsoft 22d ago
Files or directories accessible to external parties in Microsoft Teams allows an unauthorized attacker to perform spoofing locally.
CVE-2026-41105 high 8.1
8.1
windows microsoft 27d ago
Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network.
CVE-2026-35435 high 8.6
8.6
windows microsoft 27d ago
Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-34327 high 8.2
8.2
windows microsoft 27d ago
Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-33111 high 7.5
7.5
windows microsoft 27d ago
Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.
CVE-2026-32207 high 8.8
8.8
windows microsoft 27d ago
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-26164 high 7.5
7.5
windows microsoft 27d ago
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVE-2026-26129 high 7.5
7.5
windows microsoft 27d ago
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVE-2026-32952 high 7.5
7.5
debian microsoft 1mo ago
go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash a…
CVE-2026-32172 high 8.0
8.0
microsoft 1mo ago
Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.
CVE-2026-26150 high 8.6
8.6
microsoft 1mo ago
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-41134 high 7.8
7.8
microsoft 1mo ago
Kiota: Code Generation Literal Injection
CVE-2026-33116 high 7.5
7.5
rhel linux-kernel macos microsoft 2mo ago
Important: .NET 10.0 security update
CVE-2026-32203 high 7.5
7.5
rhel linux-kernel macos microsoft 2mo ago
Important: .NET 10.0 security update
CVE-2026-32178 high 7.5
7.5
rhel linux-kernel macos microsoft 2mo ago
Important: .NET 10.0 security update
CVE-2026-26171 high 7.5
7.5
rhel linux-kernel macos microsoft 2mo ago
Important: .NET 10.0 security update
CVE-2026-33822 medium 6.1
6.1
microsoft 2mo ago
Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CVE-2026-33120 high 8.8
8.8
microsoft 2mo ago
Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network.
CVE-2026-33115 high 8.4
8.4
microsoft 2mo ago
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-33114 high 8.4
8.4
microsoft 2mo ago
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-33103 medium 5.5
5.5
microsoft 2mo ago
Improper access control in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to disclose information locally.
CVE-2026-33095 high 7.8
7.8
microsoft 2mo ago
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-32226 medium 5.9
5.9
windows microsoft 2mo ago
Concurrent execution using shared resource with improper synchronization ('race condition') in .NET Framework allows an unauthorized attacker to deny service over a network.
CVE-2026-32200 high 7.8
7.8
microsoft 2mo ago
Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
CVE-2026-32199 high 7.8
7.8
microsoft 2mo ago
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-32198 high 7.8
7.8
microsoft 2mo ago
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-32197 high 7.8
7.8
microsoft 2mo ago
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-32196 medium 6.1
6.1
microsoft 2mo ago
Improper neutralization of input during web page generation ('cross-site scripting') in Windows Admin Center allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-32192 high 7.8
7.8
microsoft 2mo ago
Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-32190 high 8.4
8.4
microsoft 2mo ago
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-32189 high 7.8
7.8
microsoft 2mo ago
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-32188 high 7.1
7.1
microsoft 2mo ago
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
CVE-2026-32184 high 7.8
7.8
microsoft 2mo ago
Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.
CVE-2026-32176 medium 6.7
6.7
microsoft 2mo ago
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
CVE-2026-32171 high 8.8
8.8
microsoft 2mo ago
Insufficiently protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
CVE-2026-32168 high 7.8
7.8
microsoft 2mo ago
Improper input validation in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-32167 medium 6.7
6.7
microsoft 2mo ago
Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.
