Outlook
by Microsoft
CVEs (139)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2004-0284 | 0.01 | — | 0.17 | Nov 23, 2004 | Microsoft Internet Explorer 6.0, Outlook 2002, and Outlook 2003 allow remote attackers to cause a denial of service (CPU consumption), if "Do not save encrypted pages to disk" is disabled, via a web site or HTML e-mail that contains two null characters (%00) after the host name. | |||
| CVE-2004-0503 | 0.01 | — | 0.11 | Aug 18, 2004 | Microsoft Outlook 2003 allows remote attackers to bypass the default zone restrictions and execute script within media files via a Rich Text Format (RTF) message containing an OLE object for the Windows Media Player, which bypasses Media Player's setting to disallow scripting… | |||
| CVE-2002-2100 | 0.01 | — | 0.11 | Dec 31, 2002 | Microsoft Outlook 2002 allows remote attackers to embed bypass the file download restrictions for attachments via an HTML email message that uses an IFRAME to reference malicious content. | |||
| CVE-2002-2101 | 0.01 | — | 0.11 | Dec 31, 2002 | Microsoft Outlook 2002 allows remote attackers to execute arbitrary JavaScript code, even when scripting is disabled, via an "about:" or "javascript:" URI in the href attribute of an "a" tag. | |||
| CVE-2002-1255 | 0.01 | — | 0.14 | Dec 18, 2002 | Microsoft Outlook 2002 allows remote attackers to cause a denial of service (repeated failure) via an email message with a certain invalid header field that is accessed using POP3, IMAP, or WebDAV, aka "E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail." | |||
| CVE-2002-0481 | 0.01 | — | 0.10 | Aug 12, 2002 | An interaction between Windows Media Player (WMP) and Outlook 2002 allows remote attackers to bypass Outlook security settings and execute Javascript via an IFRAME in an HTML email message that references .WMS (Windows Media Skin) or other WMP media files, whose onload handlers… | |||
| CVE-2002-1056 | 0.01 | — | 0.19 | May 16, 2002 | Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the… | |||
| CVE-2001-0145 | 0.01 | — | 0.07 | May 3, 2001 | Buffer overflow in VCard handler in Outlook 2000 and 98, and Outlook Express 5.x, allows an attacker to execute arbitrary commands via a malformed vCard birthday field. | |||
| CVE-2000-0662 | 0.01 | — | 0.21 | Jul 14, 2000 | Internet Explorer 5.x and Microsoft Outlook allows remote attackers to read arbitrary files by redirecting the contents of an IFRAME using the DHTML Edit Control (DHTMLED). | |||
| CVE-2000-0524 | 0.01 | — | 0.15 | Jun 5, 2000 | Microsoft Outlook and Outlook Express allow remote attackers to cause a denial of service by sending email messages with blank fields such as BCC, Reply-To, Return-Path, or From. | |||
| CVE-2000-0160 | 0.01 | — | 0.09 | Feb 21, 2000 | The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software's manufacturer is Microsoft. | |||
| CVE-1999-1164 | 0.01 | — | 0.13 | Jun 25, 1999 | Microsoft Outlook client allows remote attackers to cause a denial of service by sending multiple email messages with the same X-UIDL headers, which causes Outlook to hang. | |||
| CVE-2026-21511 | 0.00 | — | 0.04 | Feb 10, 2026 | Deserialization of untrusted data in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2026-21260 | 0.00 | — | 0.01 | Feb 10, 2026 | Exposure of sensitive information to an unauthorized actor in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network. | |||
| CVE-2025-62562 | 0.00 | — | 0.01 | Dec 9, 2025 | Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally. | |||
| CVE-2025-49699 | 0.00 | — | 0.00 | Jul 8, 2025 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | |||
| CVE-2025-47176 | 0.00 | — | 0.01 | Jun 10, 2025 | '.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally. | |||
| CVE-2025-21357 | 0.00 | — | 0.01 | Jan 14, 2025 | Microsoft Outlook Remote Code Execution Vulnerability | |||
| CVE-2024-42220 | 0.00 | — | 0.01 | Dec 18, 2024 | A library injection vulnerability exists in Microsoft Outlook 16.83.3 for macOS. A specially crafted library can leverage Outlook's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this… | |||
| CVE-2024-38173 | 0.00 | — | 0.01 | Aug 13, 2024 | Microsoft Outlook Remote Code Execution Vulnerability |
- CVE-2004-0284Nov 23, 2004risk 0.01cvss —epss 0.17
Microsoft Internet Explorer 6.0, Outlook 2002, and Outlook 2003 allow remote attackers to cause a denial of service (CPU consumption), if "Do not save encrypted pages to disk" is disabled, via a web site or HTML e-mail that contains two null characters (%00) after the host name.
- CVE-2004-0503Aug 18, 2004risk 0.01cvss —epss 0.11
Microsoft Outlook 2003 allows remote attackers to bypass the default zone restrictions and execute script within media files via a Rich Text Format (RTF) message containing an OLE object for the Windows Media Player, which bypasses Media Player's setting to disallow scripting…
- CVE-2002-2100Dec 31, 2002risk 0.01cvss —epss 0.11
Microsoft Outlook 2002 allows remote attackers to embed bypass the file download restrictions for attachments via an HTML email message that uses an IFRAME to reference malicious content.
- CVE-2002-2101Dec 31, 2002risk 0.01cvss —epss 0.11
Microsoft Outlook 2002 allows remote attackers to execute arbitrary JavaScript code, even when scripting is disabled, via an "about:" or "javascript:" URI in the href attribute of an "a" tag.
- CVE-2002-1255Dec 18, 2002risk 0.01cvss —epss 0.14
Microsoft Outlook 2002 allows remote attackers to cause a denial of service (repeated failure) via an email message with a certain invalid header field that is accessed using POP3, IMAP, or WebDAV, aka "E-mail Header Processing Flaw Could Cause Outlook 2002 to Fail."
- CVE-2002-0481Aug 12, 2002risk 0.01cvss —epss 0.10
An interaction between Windows Media Player (WMP) and Outlook 2002 allows remote attackers to bypass Outlook security settings and execute Javascript via an IFRAME in an HTML email message that references .WMS (Windows Media Skin) or other WMP media files, whose onload handlers…
- CVE-2002-1056May 16, 2002risk 0.01cvss —epss 0.19
Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the…
- CVE-2001-0145May 3, 2001risk 0.01cvss —epss 0.07
Buffer overflow in VCard handler in Outlook 2000 and 98, and Outlook Express 5.x, allows an attacker to execute arbitrary commands via a malformed vCard birthday field.
- CVE-2000-0662Jul 14, 2000risk 0.01cvss —epss 0.21
Internet Explorer 5.x and Microsoft Outlook allows remote attackers to read arbitrary files by redirecting the contents of an IFRAME using the DHTML Edit Control (DHTMLED).
- CVE-2000-0524Jun 5, 2000risk 0.01cvss —epss 0.15
Microsoft Outlook and Outlook Express allow remote attackers to cause a denial of service by sending email messages with blank fields such as BCC, Reply-To, Return-Path, or From.
- CVE-2000-0160Feb 21, 2000risk 0.01cvss —epss 0.09
The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software's manufacturer is Microsoft.
- CVE-1999-1164Jun 25, 1999risk 0.01cvss —epss 0.13
Microsoft Outlook client allows remote attackers to cause a denial of service by sending multiple email messages with the same X-UIDL headers, which causes Outlook to hang.
- CVE-2026-21511Feb 10, 2026risk 0.00cvss —epss 0.04
Deserialization of untrusted data in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-21260Feb 10, 2026risk 0.00cvss —epss 0.01
Exposure of sensitive information to an unauthorized actor in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.
- CVE-2025-62562Dec 9, 2025risk 0.00cvss —epss 0.01
Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally.
- CVE-2025-49699Jul 8, 2025risk 0.00cvss —epss 0.00
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
- CVE-2025-47176Jun 10, 2025risk 0.00cvss —epss 0.01
'.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.
- CVE-2025-21357Jan 14, 2025risk 0.00cvss —epss 0.01
Microsoft Outlook Remote Code Execution Vulnerability
- CVE-2024-42220Dec 18, 2024risk 0.00cvss —epss 0.01
A library injection vulnerability exists in Microsoft Outlook 16.83.3 for macOS. A specially crafted library can leverage Outlook's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this…
- CVE-2024-38173Aug 13, 2024risk 0.00cvss —epss 0.01
Microsoft Outlook Remote Code Execution Vulnerability
Page 6 of 7