CVE-2026-47294 high 8.0
8.0
microsoft 2d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-42899 high 7.5
7.5
FIX rhel macos linux-kernel microsoft 8d ago
Important: .NET 9.0 security update
CVE-2026-42827 medium 6.5
6.5
windows microsoft 12d ago
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVE-2026-41104 critical 10.0
10.0
windows microsoft 12d ago
Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network.
CVE-2026-40412 critical 10.0
10.0
windows microsoft 12d ago
Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network.
CVE-2026-40411 critical 9.9
9.9
windows microsoft 12d ago
Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.
CVE-2026-35430 high 8.8
8.8
windows microsoft 12d ago
Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized attacker to elevate privileges over a network.
CVE-2026-26147 high 7.7
7.7
windows microsoft 12d ago
Improper input validation in Azure Compute Gallery allows an authorized attacker to disclose information over a network.
CVE-2026-23663 high 7.5
7.5
windows microsoft 12d ago
Improper privilege management in Azure Entra ID allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-42901 critical 10.0
10.0
windows microsoft 12d ago
Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-45659 high 8.8
8.8
windows microsoft 12d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-33843 critical 9.1
9.1
windows microsoft 12d ago
Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-41090 critical 9.3
9.3
windows microsoft 12d ago
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
CVE-2026-47280 critical 10.0
10.0
windows microsoft 12d ago
Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-23652 critical 10.0
10.0
windows microsoft 12d ago
Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.
CVE-2026-45584 high 8.1
8.1
windows microsoft 14d ago
Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.
CVE-2026-42834 high 7.8
7.8
windows microsoft 14d ago
Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
CVE-2026-41091 high 7.8
9.3
KEV windows microsoft 14d ago
Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.
CVE-2026-45498 medium 4.0
5.5
KEV windows microsoft 14d ago
Microsoft Defender contains an unspecified vulnerability that allows for denial of service.
CVE-2026-45495 high 8.8
8.8
windows microsoft 16d ago
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
CVE-2026-45494 medium 5.4
5.4
windows microsoft 16d ago
Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVE-2026-45492 medium 5.4
5.4
windows microsoft 16d ago
Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-42822 critical 10.0
10.0
windows microsoft 16d ago
Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-42897 high 8.1
9.6
KEV windows microsoft 20d ago
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be e…
CVE-2026-41615 critical 9.6
9.6
windows microsoft 20d ago
Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.
CVE-2026-42898 critical 9.9
9.9
windows microsoft 22d ago
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
CVE-2026-42893 high 7.4
7.4
windows microsoft 22d ago
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network.
CVE-2026-42891 medium 6.5
6.5
windows microsoft 22d ago
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-42838 medium 5.4
5.4
windows microsoft 22d ago
Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a netw…
CVE-2026-42833 critical 9.1
9.1
windows microsoft 22d ago
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
CVE-2026-42832 high 7.7
7.7
windows microsoft 22d ago
Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.
CVE-2026-42831 high 7.8
7.8
windows microsoft 22d ago
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-42830 medium 6.5
6.5
windows microsoft 22d ago
Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-42823 critical 9.9
9.9
windows microsoft 22d ago
Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
CVE-2026-41614 medium 6.2
6.2
windows microsoft 22d ago
Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
CVE-2026-41613 high 8.8
8.8
windows microsoft 22d ago
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-41612 medium 5.5
5.5
windows microsoft 22d ago
Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.
CVE-2026-41611 high 7.8
7.8
windows microsoft 22d ago
Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.
CVE-2026-41610 medium 6.3
6.3
windows microsoft 22d ago
Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.
CVE-2026-41109 high 8.8
8.8
windows microsoft 22d ago
Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature ove…
CVE-2026-41107 high 7.4
7.4
windows microsoft 22d ago
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
CVE-2026-41103 critical 9.1
9.1
windows microsoft 22d ago
Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-41102 high 7.1
7.1
windows microsoft 22d ago
Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.
CVE-2026-41101 high 7.1
7.1
windows microsoft 22d ago
Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.
CVE-2026-41100 medium 4.4
4.4
windows microsoft 22d ago
Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.
CVE-2026-41094 high 8.8
8.8
windows microsoft 22d ago
Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.
CVE-2026-41086 high 8.8
8.8
windows microsoft 22d ago
Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
CVE-2026-40421 medium 4.3
4.3
windows microsoft 22d ago
Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CVE-2026-40420 high 8.8
8.8
windows microsoft 22d ago
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-40419 high 7.8
7.8
windows microsoft 22d ago
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-40418 high 7.8
7.8
windows microsoft 22d ago
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-40417 high 7.8
7.8
windows microsoft 22d ago
Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
CVE-2026-40416 medium 4.3
4.3
windows microsoft 22d ago
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-40381 high 7.8
7.8
windows microsoft 22d ago
Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-40379 critical 9.3
9.3
windows microsoft 22d ago
Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-40374 medium 6.5
6.5
windows microsoft 22d ago
Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network.
CVE-2026-40368 high 8.0
8.0
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-40367 high 8.4
8.4
windows microsoft 22d ago
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-40366 high 8.4
8.4
windows microsoft 22d ago
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-40365 high 8.8
8.8
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-40364 high 8.4
8.4
windows microsoft 22d ago
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-40363 high 8.4
8.4
windows microsoft 22d ago
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-40362 high 7.8
7.8
windows microsoft 22d ago
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-40361 high 8.4
8.4
windows microsoft 22d ago
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-40360 high 7.8
7.8
windows microsoft 22d ago
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
CVE-2026-40359 high 7.8
7.8
windows microsoft 22d ago
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-40358 high 8.4
8.4
windows microsoft 22d ago
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-40357 high 8.8
8.8
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-35440 medium 5.5
5.5
windows microsoft 22d ago
Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CVE-2026-35439 high 8.8
8.8
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-35438 high 8.3
8.3
windows microsoft 22d ago
Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
CVE-2026-35436 high 8.8
8.8
windows microsoft 22d ago
Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-35429 medium 4.3
4.3
windows microsoft 22d ago
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-33833 high 8.2
8.2
windows microsoft 22d ago
Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-33821 high 7.7
7.7
windows microsoft 22d ago
Improper privilege management in Microsoft Dynamics 365 Customer Insights allows an authorized attacker to elevate privileges over a network.
CVE-2026-33117 critical 9.1
9.1
windows microsoft 22d ago
Security feature bypass vulnerability in Azure Key Vault Keys library for Java
CVE-2026-33112 high 8.8
8.8
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-33110 high 8.8
8.8
windows microsoft 22d ago
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-32204 high 7.8
7.8
windows microsoft 22d ago
External control of file name or path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-32185 medium 5.5
5.5
windows microsoft 22d ago
Files or directories accessible to external parties in Microsoft Teams allows an unauthorized attacker to perform spoofing locally.
CVE-2026-42826 critical 10.0
10.0
windows microsoft 27d ago
Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.
CVE-2026-41105 high 8.1
8.1
windows microsoft 27d ago
Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network.
CVE-2026-35435 high 8.6
8.6
windows microsoft 27d ago
Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-35428 critical 9.6
9.6
windows microsoft 27d ago
Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-34327 high 8.2
8.2
windows microsoft 27d ago
Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-33844 critical 9.0
9.0
windows microsoft 27d ago
Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.
CVE-2026-33823 critical 9.6
9.6
windows microsoft 27d ago
Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network.
CVE-2026-33111 high 7.5
7.5
windows microsoft 27d ago
Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.
CVE-2026-33109 critical 9.9
9.9
windows microsoft 27d ago
Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.
CVE-2026-32207 high 8.8
8.8
windows microsoft 27d ago
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-26164 high 7.5
7.5
windows microsoft 27d ago
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVE-2026-26129 high 7.5
7.5
windows microsoft 27d ago
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVE-2026-21515 critical 9.9
9.9
microsoft 1mo ago
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
CVE-2026-32952 high 7.5
7.5
debian microsoft 1mo ago
go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash a…
CVE-2026-35431 critical 10.0
10.0
microsoft 1mo ago
Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-33819 critical 10.0
10.0
microsoft 1mo ago
Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
CVE-2026-33102 critical 9.3
9.3
microsoft 1mo ago
Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-32210 critical 9.3
9.3
microsoft 1mo ago
Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-32172 high 8.0
8.0
microsoft 1mo ago
Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.
CVE-2026-26150 high 8.6
8.6
microsoft 1mo ago
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
