CVEs from 2026
Total
14,792
critical
critical 1,335
high
high 5,008
medium
medium 4,832
low
low 503
% Critical
9.0%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 723
- firepower_threat_defense_software 310
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45956 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() vidi_connection_ioctl() retrieves the driver_data … | |||
| CVE-2026-45951 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a potential use-after-free of BTF object Refcounting in the check_pseudo_btf_id() function is incorrect: the __check_pse… | |||
| CVE-2026-45942 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: ext4: fix e4b bitmap inconsistency reports A bitmap inconsistency issue was observed during stress tests under mixed huge-page wo… | |||
| CVE-2026-45935 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the… | |||
| CVE-2026-45933 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: bpf: Preserve id of register in sync_linked_regs() sync_linked_regs() copies the id of known_reg to reg when propagating bounds o… | |||
| CVE-2026-45931 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Hold mm structure across iommu_sva_unbind_device() Some tests trigger a crash in iommu_sva_unbind_device() due to … | |||
| CVE-2026-45929 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: ovpn: fix possible use-after-free in ovpn_net_xmit When building the skb_list in ovpn_net_xmit, skb_share_check will free the ori… | |||
| CVE-2026-45910 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix race condition in QP timer handlers I encontered the following warning: WARNING: drivers/infiniband/sw/rxe/rxe_tas… | |||
| CVE-2026-45909 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: Drop __initconst from gates Since commit 8ceff24a754a ("clk: mediatek: clk-gate: Refactor mtk_clk_register_gate to… | |||
| CVE-2026-45894 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down PASID entry The Intel VT-d Scalable Mode PASID table entry consists of 512 bits… | |||
| CVE-2026-45878 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix watch_id bounds checking in debug address watch v2 The address watch clear code receives watch_id as an unsigned … | |||
| CVE-2026-45862 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Flush cache for PASID table before using it When writing the address of a freshly allocated zero-initialized PASID ta… | |||
| CVE-2026-45861 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in qd_put Commit a475c5dd16e5 ("gfs2: Free quota data objects synchronously") started freeing quota… | |||
| CVE-2026-45852 | high | 7.8 | 7.8 | 11d ago | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' befor… | |||
| CVE-2026-49014 | high | 7.8 | 7.8 | 11d ago | In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow. It reads a geometry attribute into a fixed-size stack buffer with… | |||
| CVE-2026-38945 | high | 7.8 | 7.8 | 11d ago | Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of … | |||
| CVE-2026-9560 | high | 7.8 | 7.8 | 12d ago | Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel | |||
| CVE-2026-24194 | high | 7.8 | 7.8 | 12d ago | NVIDIA Display Driver for Linux contains a vulnerability in a kernel mode layer handler, where a user could cause improper permission handling. A successful exploit of this vulnerability might lead t… | |||
| CVE-2026-24191 | high | 7.8 | 7.8 | 12d ago | NVIDIA Display Driver for Windows contains a vulnerability where an attacker could cause a time-of-check time-of-use issue. A successful exploit of this vulnerability might lead to denial of service,… | |||
| CVE-2026-24190 | high | 7.8 | 7.8 | 12d ago | NVIDIA Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a user could cause improper access to GPU resources. A successful exploit of this vulnerability mi… | |||
| CVE-2026-24193 | high | 7.8 | 7.8 | 12d ago | NVIDIA Display Driver for Windows and Linux contains a vulnerability where an attacker could cause an out-of-bounds write. A successful exploit of this vulnerability might lead to denial of service, … | |||
| CVE-2026-48864 | high | 7.8 | 7.8 | 12d ago | A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within `.solv` files due to insufficient input validation. An attacker ca… | |||
| CVE-2026-24162 | high | 7.8 | 7.8 | 12d ago | NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code exec… | |||
| CVE-2026-24192 | high | 7.8 | 7.8 | 12d ago | NVIDIA Display Driver for Linux contains a vulnerability where an attacker could cause an incorrect conversion between numeric types, leading to a heap buffer overflow. A successful exploit of this v… | |||
| CVE-2026-7454 | high | 7.8 | 7.8 | 12d ago | A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the c… | |||
| CVE-2026-7452 | high | 7.8 | 7.8 | 12d ago | A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the c… | |||
| CVE-2026-7451 | high | 7.8 | 7.8 | 12d ago | A maliciously crafted TIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data co… | |||
| CVE-2026-25112 | high | 7.8 | 7.8 | 12d ago | A high-severity vulnerability in the deployment of Genetec RabbitMQ that allows a privilege escalation attack. | |||
| CVE-2026-40034 | high | 7.8 | 7.8 | 12d ago | gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration … | |||
| CVE-2026-25713 | high | 7.8 | 7.8 | 12d ago | MediaArea MediaInfoLib ID3v2 parsing heap buffer overflow vulnerability | |||
| CVE-2026-25104 | high | 7.8 | 7.8 | 12d ago | MediaArea MediaInfoLib LXF parsing heap-based buffer overflow vulnerability | |||
| CVE-2026-44468 | high | 7.8 | 7.8 | 12d ago | The affected product creates a directory with insecure default permissions during administrative installation. This allows a low-privileged local attacker to modify a temporary file defining the comp… | |||
| CVE-2026-4372 | high | 7.8 | 7.8 | 14d ago | A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config… | |||
| CVE-2026-9255 | high | 7.8 | 7.8 | 16d ago | Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by craft… | |||
| CVE-2026-45208 | high | 7.8 | 7.8 | 17d ago | A time-of-check time-of-use vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the abil… | |||
| CVE-2026-45207 | high | 7.8 | 7.8 | 17d ago | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45206 but exists in a different… | |||
| CVE-2026-45206 | high | 7.8 | 7.8 | 17d ago | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45207 but exists in a different… | |||
| CVE-2026-34930 | high | 7.8 | 7.8 | 17d ago | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different… | |||
| CVE-2026-34929 | high | 7.8 | 7.8 | 17d ago | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different… | |||
| CVE-2026-34928 | high | 7.8 | 7.8 | 17d ago | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different… | |||
| CVE-2026-34927 | high | 7.8 | 7.8 | 17d ago | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to … | |||
| CVE-2026-43502 | high | 7.8 | 7.8 | 17d ago | In the Linux kernel, the following vulnerability has been resolved: net/rds: handle zerocopy send cleanup before the message is queued A zerocopy send can fail after user pages have been pinned but… | |||
| CVE-2026-43499 | high | 7.8 | 7.8 | 17d ago | In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also use… | |||
| CVE-2026-43498 | high | 7.8 | 7.8 | 17d ago | In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Disallow re-exporting imported GEM objects Prevent re-exporting of imported GEM buffers by adding a custom prime_hand… | |||
| CVE-2026-43494 | high | 7.8 | 7.8 | 17d ago | In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinne… | |||
| CVE-2026-45251 | high | 7.8 | 7.8 | 17d ago | A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, t… | |||
| CVE-2026-28764 | high | 7.8 | 7.8 | 17d ago | MediaArea MediaInfoLib LXF element parsing heap-based buffer overflow vulnerability | |||
| CVE-2026-45250 | high | 7.8 | 7.8 | 17d ago | The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-… | |||
| CVE-2026-8632 | high | 7.8 | 7.8 | 17d ago | A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution v… | |||
| CVE-2026-24216 | high | 7.8 | 7.8 | 17d ago | NVIDIA BioNemo for Linux contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of serv… | |||
| CVE-2026-22554 | high | 7.8 | 7.8 | 18d ago | MediaArea MediaInfoLib Channel Splitting heap-based buffer overflow vulnerability | |||
| CVE-2026-42834 | high | 7.8 | 7.8 | 18d ago | Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network. | |||
| CVE-2026-0856 | high | 7.8 | 7.8 | 18d ago | Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This issue affects Meona Clie… | |||
| CVE-2026-44933 | high | 7.8 | 7.8 | 18d ago | `PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard configurations or when using `--root`. If the chroot target is `/`, … | |||
| CVE-2026-41054 | high | 7.8 | 7.8 | 18d ago | In `src/havegecmd.c`, the `socket_handler` function performs a credential check on the abstract UNIX socket (`\0/sys/entropy/haveged`). However, while it detects if the connecting user is not root (`… | |||
| CVE-2026-43128 | high | 7.8 | 7.8 | 18d ago | In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_ma… | |||
| CVE-2026-31532 | high | 7.8 | 7.8 | 18d ago | In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but… | |||
| CVE-2026-23558 | high | 7.8 | 7.8 | 19d ago | The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapp… | |||
| CVE-2026-32323 | high | 7.8 | 7.8 | 19d ago | Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer… | |||
| CVE-2026-41035 | high | 7.8 | 7.8 | 19d ago | Important: rsync security update | |||
| CVE-2026-23243 | high | 7.8 | 7.8 | 19d ago | In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD heade… | |||
| CVE-2026-4137 | high | 7.8 | 7.8 | 19d ago | MLFlow Creates a Temporary File With Insecure Permissions | |||
| CVE-2026-47092 | high | 7.8 | 7.8 | 19d ago | Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment vari… | |||
| CVE-2026-45038 | high | 7.8 | 7.8 | 23d ago | Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code … | |||
| CVE-2026-46508 | high | 7.8 | 7.8 | 23d ago | Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-contr… | |||
| CVE-2026-45353 | high | 7.8 | 7.8 | 23d ago | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0. | |||
| CVE-2026-44636 | high | 7.8 | 7.8 | 23d ago | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, signed integer overflow in sixel_encode_highcolor's allocation size calculation can lead to a heap bu… | |||
| CVE-2026-43906 | high | 7.8 | 7.8 | 23d ago | OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a heap-based buffer overflow in the H… | |||
| CVE-2026-43905 | high | 7.8 | 7.8 | 23d ago | OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, jpeg2000input.cpp:395 computes buffer… | |||
| CVE-2026-43904 | high | 7.8 | 7.8 | 23d ago | OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, softimageinput.cpp:469 (mixed RLE) an… | |||
| CVE-2026-43903 | high | 7.8 | 7.8 | 23d ago | OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, sgiinput.cpp:265,274 use OIIO_DASSERT… | |||
| CVE-2026-42283 | high | 7.8 | 7.8 | 24d ago | DevSpace UI Server WebSocket CheckOrigin does not validate source | |||
| CVE-2026-44471 | high | 7.8 | 7.8 | 24d ago | gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink int… | |||
| CVE-2026-30906 | high | 7.8 | 7.8 | 24d ago | Untrusted search path in the installer for Zoom Rooms for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access. | |||
| CVE-2026-30905 | high | 7.8 | 7.8 | 24d ago | External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via loca… | |||
| CVE-2026-45033 | high | 7.8 | 7.8 | 25d ago | GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git r… | |||
| CVE-2026-44470 | high | 7.8 | 7.8 | 25d ago | The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Window… | |||
| CVE-2026-43481 | high | 7.8 | 7.8 | 25d ago | In the Linux kernel, the following vulnerability has been resolved: net-shapers: don't free reply skb after genlmsg_reply() genlmsg_reply() hands the reply skb to netlink, and netlink_unicast() con… | |||
| CVE-2026-43476 | high | 7.8 | 7.8 | 25d ago | In the Linux kernel, the following vulnerability has been resolved: iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) in… | |||
| CVE-2026-42290 | high | 7.8 | 7.8 | 25d ago | protobuf.js is Vulnerable to OS Command Injection in the CLI | |||
| CVE-2026-45152 | high | 7.8 | 7.8 | 25d ago | uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files u… | |||
| CVE-2026-45136 | high | 7.8 | 7.8 | 25d ago | claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directl… | |||
| CVE-2026-44724 | high | 7.8 | 7.8 | 25d ago | systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active Netwo… | |||
| CVE-2026-44612 | high | 7.8 | 7.8 | 25d ago | Bytello Share (Windows Edition) installer executable provided by Bytello insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when invoking the affected installer,… | |||
| CVE-2026-21020 | high | 7.8 | 7.8 | 25d ago | Improper export of android application components in OmaCP prior to SMR May-2026 Release 1 allows local attackers to trigger privileged functions. | |||
| CVE-2026-8108 | high | 7.8 | 7.8 | 25d ago | The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions. | |||
| CVE-2026-42191 | high | 7.8 | 7.8 | 25d ago | OpenTelemetry's disk retry default temp path enables local blob injection via OTLP Exporter | |||
| CVE-2026-34690 | high | 7.8 | 7.8 | 25d ago | After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitat… | |||
| CVE-2026-34684 | high | 7.8 | 7.8 | 25d ago | Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation … | |||
| CVE-2026-34683 | high | 7.8 | 7.8 | 25d ago | Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation … | |||
| CVE-2026-34682 | high | 7.8 | 7.8 | 25d ago | Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation … | |||
| CVE-2026-34681 | high | 7.8 | 7.8 | 25d ago | Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation … | |||
| CVE-2026-31221 | high | 7.8 | 7.8 | 25d ago | PyTorch Lightning load_from_checkpoint has an insecure checkpoint deserialization | |||
| CVE-2026-42896 | high | 7.8 | 7.8 | 26d ago | Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | |||
| CVE-2026-42831 | high | 7.8 | 7.8 | 26d ago | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | |||
| CVE-2026-41611 | high | 7.8 | 7.8 | 26d ago | Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally. | |||
| CVE-2026-41095 | high | 7.8 | 7.8 | 26d ago | Use after free in Data Deduplication allows an authorized attacker to elevate privileges locally. | |||
| CVE-2026-41088 | high | 7.8 | 7.8 | 26d ago | Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | |||
| CVE-2026-40419 | high | 7.8 | 7.8 | 26d ago | Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally. | |||
| CVE-2026-40418 | high | 7.8 | 7.8 | 26d ago | Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally. |