Filtered by vendor Microsoft
Subscriptions
Total
24865 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-32204 | 1 Microsoft | 2 Azure Monitor, Azure Monitor Agent | 2026-05-13 | 7.8 High |
| External control of file name or path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-41102 | 1 Microsoft | 2 Powerpoint, Powerpoint For Android | 2026-05-13 | 7.1 High |
| Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally. | ||||
| CVE-2026-41109 | 1 Microsoft | 1 Visual Studio Code | 2026-05-13 | 8.8 High |
| Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network. | ||||
| CVE-2026-32185 | 1 Microsoft | 1 Teams | 2026-05-13 | 5.5 Medium |
| Files or directories accessible to external parties in Microsoft Teams allows an unauthorized attacker to perform spoofing locally. | ||||
| CVE-2026-34332 | 1 Microsoft | 2 Windows Server 2025, Windows Server 2025 (server Core Installation) | 2026-05-13 | 8 High |
| Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network. | ||||
| CVE-2026-40370 | 1 Microsoft | 10 Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack, Microsoft Sql Server 2017 (gdr), Microsoft Sql Server 2019 (gdr) and 7 more | 2026-05-13 | 8.8 High |
| External control of file name or path in SQL Server allows an authorized attacker to execute code over a network. | ||||
| CVE-2026-40381 | 1 Microsoft | 1 Azure Connected Machine Agent | 2026-05-13 | 7.8 High |
| Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-34661 | 3 Adobe, Apple, Microsoft | 3 Illustrator, Macos, Windows | 2026-05-13 | 7.8 High |
| Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-34687 | 3 Adobe, Apple, Microsoft | 3 Illustrator, Macos, Windows | 2026-05-13 | 7.8 High |
| Illustrator versions 29.8.6, 30.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-34662 | 3 Adobe, Apple, Microsoft | 3 Illustrator, Macos, Windows | 2026-05-12 | 5.5 Medium |
| Illustrator versions 29.8.6, 30.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-7910 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-05-12 | 4.7 Medium |
| Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-42898 | 1 Microsoft | 1 Dynamics 365 | 2026-05-12 | 9.9 Critical |
| Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. | ||||
| CVE-2026-7431 | 2 Ivanti, Microsoft | 2 Secure Access Client, Windows | 2026-05-12 | 4.4 Medium |
| An incorrect permission assignment for critical resource of Ivanti Secure Access Client before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section. | ||||
| CVE-2026-7432 | 2 Ivanti, Microsoft | 2 Secure Access Client, Windows | 2026-05-12 | 7.8 High |
| A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM | ||||
| CVE-2026-40374 | 1 Microsoft | 1 Power Automate For Desktop | 2026-05-12 | 6.5 Medium |
| Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network. | ||||
| CVE-2026-34663 | 3 Adobe, Apple, Microsoft | 3 Illustrator, Macos, Windows | 2026-05-12 | 5.5 Medium |
| Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2026-41613 | 1 Microsoft | 1 Visual Studio Code | 2026-05-12 | 8.8 High |
| Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2023-44487 | 33 Akka, Amazon, Apache and 30 more | 378 Http Server, Opensearch Data Prepper, Apisix and 375 more | 2026-05-12 | 7.5 High |
| The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | ||||
| CVE-2025-55754 | 2 Apache, Microsoft | 2 Tomcat, Windows | 2026-05-12 | 9.6 Critical |
| Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue. | ||||
| CVE-2023-38545 | 5 Fedoraproject, Haxx, Microsoft and 2 more | 19 Fedora, Libcurl, Windows 10 1809 and 16 more | 2026-05-12 | 8.8 High |
| This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with. | ||||