VYPR

SQL Server

by Microsoft

CVEs (109)

  • CVE-2012-0158HigKEVApr 10, 2012
    risk 0.80cvss 8.8epss 1.00

    The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and…

  • CVE-2012-1856HigKEVAug 15, 2012
    risk 0.75cvss 8.8epss 0.72

    The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server…

  • CVE-2018-8273CriAug 15, 2018
    risk 0.66cvss 9.8epss 0.29

    A buffer overflow vulnerability exists in the Microsoft SQL Server that could allow remote code execution on an affected system, aka "Microsoft SQL Server Remote Code Execution Vulnerability." This affects Microsoft SQL Server.

  • CVE-2016-0100HigMar 9, 2016
    risk 0.62cvss 8.4epss 0.58

    Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Library Loading Input Validation Remote Code Execution Vulnerability."

  • CVE-2016-7254HigNov 10, 2016
    risk 0.58cvss 8.8epss 0.12

    Microsoft SQL Server 2012 SP2 and 2012 SP3 does not properly perform a cast of an unspecified pointer, which allows remote authenticated users to gain privileges via unknown vectors, aka "SQL RDBMS Engine Elevation of Privilege Vulnerability."

  • CVE-2016-7253HigNov 10, 2016
    risk 0.58cvss 8.8epss 0.12

    The agent in Microsoft SQL Server 2012 SP2, 2012 SP3, 2014 SP1, 2014 SP2, and 2016 does not properly check the atxcore.dll ACL, which allows remote authenticated users to gain privileges via unspecified vectors, aka "SQL Server Agent Elevation of Privilege Vulnerability."

  • CVE-2016-7250HigNov 10, 2016
    risk 0.58cvss 8.8epss 0.12

    Microsoft SQL Server 2014 SP1, 2014 SP2, and 2016 does not properly perform a cast of an unspecified pointer, which allows remote authenticated users to gain privileges via unknown vectors, aka "SQL RDBMS Engine Elevation of Privilege Vulnerability."

  • CVE-2016-7249HigNov 10, 2016
    risk 0.58cvss 8.8epss 0.12

    Microsoft SQL Server 2016 does not properly perform a cast of an unspecified pointer, which allows remote authenticated users to gain privileges via unknown vectors, aka "SQL RDBMS Engine Elevation of Privilege Vulnerability."

  • CVE-2026-33120HigApr 14, 2026
    risk 0.57cvss 8.8epss 0.01

    Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network.

  • CVE-2009-2502HigOct 14, 2009
    risk 0.54cvss 8.1epss 0.22

    Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003…

  • CVE-2017-8516HigAug 8, 2017
    risk 0.49cvss 7.5epss 0.08

    Microsoft SQL Server Analysis Services in Microsoft SQL Server 2012, Microsoft SQL Server 2014, and Microsoft SQL Server 2016 allows an information disclosure vulnerability when it improperly enforces permissions, aka "Microsoft SQL Server Analysis Services Information…

  • CVE-2002-1872HigDec 31, 2002
    risk 0.49cvss 7.5epss 0.06

    Microsoft SQL Server 6.0 through 2000, with SQL Authentication enabled, uses weak password encryption (XOR), which allows remote attackers to sniff and decrypt the password.

  • CVE-2026-32176MedApr 14, 2026
    risk 0.44cvss 6.7epss 0.00

    Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

  • CVE-2026-32167MedApr 14, 2026
    risk 0.44cvss 6.7epss 0.00

    Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.

  • CVE-2016-7252MedNov 10, 2016
    risk 0.44cvss 6.5epss 0.18

    Microsoft SQL Server 2016 mishandles the FILESTREAM path, which allows remote authenticated users to gain privileges via unspecified vectors, aka "SQL Analysis Services Information Disclosure Vulnerability."

  • CVE-2016-7251MedNov 10, 2016
    risk 0.40cvss 6.1epss 0.08

    Cross-site scripting (XSS) vulnerability in the MDS API in Microsoft SQL Server 2016 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka "MDS API XSS Vulnerability."

  • CVE-2008-5416Dec 10, 2008
    risk 0.10cvss epss 0.87

    Heap-based buffer overflow in Microsoft SQL Server 2000 SP4, 8.00.2050, 8.00.2039, and earlier; SQL Server 2000 Desktop Engine (MSDE 2000) SP4; SQL Server 2005 SP2 and 9.00.1399.06; SQL Server 2000 Desktop Engine (WMSDE) on Windows Server 2003 SP1 and SP2; and Windows Internal…

  • CVE-2000-1209Aug 12, 2002
    risk 0.10cvss epss 0.87

    The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6)…

  • CVE-2002-0649Aug 12, 2002
    risk 0.10cvss epss 0.85

    Multiple buffer overflows in the Resolution Service for Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE) allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte that causes the SQL…

  • CVE-2000-0402May 30, 2000
    risk 0.10cvss epss 0.91

    The Mixed Mode authentication capability in Microsoft SQL Server 7.0 stores the System Administrator (sa) account in plaintext in a log file which is readable by any user, aka the "SQL Server 7.0 Service Pack Password" vulnerability.

Page 1 of 6