Vendor CVEs
Microsoft
All CVEs
14,175 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-48567 | Cri | 0.65 | 10.0 | 0.01 | Jun 4, 2026 | Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2026-47280 | Cri | 0.65 | 10.0 | 0.00 | May 22, 2026 | Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2026-42901 | Cri | 0.65 | 10.0 | 0.00 | May 22, 2026 | Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2026-41104 | Cri | 0.65 | 10.0 | 0.01 | May 22, 2026 | Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-40412 | Cri | 0.65 | 10.0 | 0.01 | May 22, 2026 | Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-23652 | Cri | 0.65 | 10.0 | 0.01 | May 22, 2026 | Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-42822 | Cri | 0.65 | 10.0 | 0.00 | May 18, 2026 | Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2026-42897 | Hig | 0.65 | 8.1 | 0.06 | KEV | May 14, 2026 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | |
| CVE-2026-42826 | Cri | 0.65 | 10.0 | 0.01 | May 7, 2026 | Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-35431 | Cri | 0.65 | 10.0 | 0.01 | Apr 23, 2026 | Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2026-33819 | Cri | 0.65 | 10.0 | 0.01 | Apr 23, 2026 | Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-32186 | Cri | 0.65 | 10.0 | 0.01 | Apr 3, 2026 | Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2026-33107 | Cri | 0.65 | 10.0 | 0.01 | Apr 3, 2026 | Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2026-33105 | Cri | 0.65 | 10.0 | 0.01 | Apr 3, 2026 | Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2026-32213 | Cri | 0.65 | 10.0 | 0.01 | Apr 3, 2026 | Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2026-32169 | Cri | 0.65 | 10.0 | 0.01 | Mar 19, 2026 | Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2023-44487 | Hig | 0.65 | 7.5 | 1.00 | KEV | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | |
| CVE-2018-8327 | Cri | 0.65 | 9.8 | 0.21 | Jul 11, 2018 | A remote code execution vulnerability exists in PowerShell Editor Services, aka "PowerShell Editor Services Remote Code Execution Vulnerability." This affects PowerShell Editor, PowerShell Extension. | ||
| CVE-2018-8154 | Cri | 0.65 | 9.8 | 0.22 | May 9, 2018 | A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka "Microsoft Exchange Memory Corruption Vulnerability." This affects Microsoft Exchange Server. This CVE ID is unique from CVE-2018-8151. | ||
| CVE-2018-0986 | Hig | 0.65 | 8.8 | 0.61 | Apr 4, 2018 | A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption, aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability." This affects Windows Defender,… | ||
| CVE-2017-0028 | Cri | 0.65 | 9.8 | 0.19 | Jul 17, 2017 | A remote code execution vulnerability exists when Microsoft scripting engine improperly accesses objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully… | ||
| CVE-2017-0089 | Hig | 0.65 | 8.8 | 0.57 | Mar 17, 2017 | Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Uniscribe Remote Code Execution Vulnerability." This vulnerability is different from those described in… | ||
| CVE-2016-3222 | Hig | 0.65 | 8.8 | 0.57 | Jun 16, 2016 | Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge Memory Corruption Vulnerability." | ||
| CVE-2016-0132 | Cri | 0.65 | 9.8 | 0.22 | Mar 9, 2016 | Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 mishandles signature validation for unspecified elements of XML documents, which allows remote attackers to spoof signatures via a modified document, aka ".NET XML Validation Security Feature Bypass." | ||
| CVE-2008-3465 | Cri | 0.65 | 9.8 | 0.14 | Dec 10, 2008 | Heap-based buffer overflow in an API in GDI in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows context-dependent attackers to cause a denial of service or execute arbitrary code via a WMF file with a malformed… | ||
| CVE-2006-3730 | Hig | 0.65 | 8.8 | 0.64 | Jul 21, 2006 | Integer overflow in Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a 0x7fffffff argument to the setSlice method on a WebViewFolderIcon ActiveX object, which leads to an invalid memory… | ||
| CVE-2026-47643 | Cri | 0.64 | 9.8 | 0.01 | Jun 9, 2026 | External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-47291 | Cri | 0.64 | 9.8 | 0.22 | Jun 9, 2026 | Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-45657 | Cri | 0.64 | 9.8 | 0.15 | Jun 9, 2026 | Use after free in Windows Kernel allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-44815 | Cri | 0.64 | 9.8 | 0.01 | Jun 9, 2026 | Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network. | ||
| CVE-2025-71316 | Cri | 0.64 | 9.8 | 0.00 | Jun 4, 2026 | SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file… | ||
| CVE-2026-40411 | Cri | 0.64 | 9.9 | 0.01 | May 22, 2026 | Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network. | ||
| CVE-2026-42898 | Cri | 0.64 | 9.9 | 0.01 | May 12, 2026 | Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. | ||
| CVE-2026-42823 | Cri | 0.64 | 9.9 | 0.01 | May 12, 2026 | Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2026-41096 | Cri | 0.64 | 9.8 | 0.02 | May 12, 2026 | Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-41089 | Cri | 0.64 | 9.8 | 0.72 | May 12, 2026 | Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-33109 | Cri | 0.64 | 9.9 | 0.01 | May 7, 2026 | Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | ||
| CVE-2022-50993 | Cri | 0.64 | 9.8 | 0.01 | Apr 30, 2026 | Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and… | ||
| CVE-2026-21515 | Cri | 0.64 | 9.9 | 0.01 | Apr 24, 2026 | Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2026-33824 | Cri | 0.64 | 9.8 | 0.56 | Apr 14, 2026 | Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-32194 | Cri | 0.64 | 9.8 | 0.01 | Mar 19, 2026 | Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-32191 | Cri | 0.64 | 9.8 | 0.01 | Mar 19, 2026 | Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network. | ||
| CVE-2025-60724 | Cri | 0.64 | 9.8 | 0.06 | Nov 11, 2025 | Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network. | ||
| CVE-2025-60710 | Hig | 0.64 | 7.8 | 0.05 | KEV | Nov 11, 2025 | Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. | |
| CVE-2025-53766 | Cri | 0.64 | 9.8 | 0.07 | Aug 12, 2025 | Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network. | ||
| CVE-2018-8319 | Cri | 0.64 | 9.8 | 0.07 | Jul 11, 2018 | A Security Feature Bypass vulnerability exists in MSR JavaScript Cryptography Library that is caused by incorrect arithmetic computations, aka "MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability." This affects Microsoft Research JavaScript Cryptography… | ||
| CVE-2017-11899 | Cri | 0.64 | 9.8 | 0.06 | Dec 12, 2017 | Device Guard in Windows 10 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows a security feature bypass vulnerability due to the way untrusted files are handled, aka "Microsoft Windows Security Feature Bypass Vulnerability". | ||
| CVE-2017-8682 | Hig | 0.64 | 8.8 | 0.50 | Sep 13, 2017 | Windows graphics on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, Windows Server 2016, Microsoft Office Word Viewer, Microsoft Office 2007 Service Pack 3 , and… | ||
| CVE-2017-0090 | Hig | 0.64 | 8.8 | 0.43 | Mar 17, 2017 | Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Uniscribe Remote Code Execution Vulnerability." This vulnerability is different from those described in… | ||
| CVE-2017-0088 | Hig | 0.64 | 8.8 | 0.42 | Mar 17, 2017 | Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Windows Uniscribe Remote Code Execution Vulnerability." |
- risk 0.65cvss 10.0epss 0.01
Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network.
- risk 0.65cvss 10.0epss 0.00
Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.
- risk 0.65cvss 10.0epss 0.00
Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
- risk 0.65cvss 10.0epss 0.01
Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network.
- risk 0.65cvss 10.0epss 0.01
Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network.
- risk 0.65cvss 10.0epss 0.01
Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.
- risk 0.65cvss 10.0epss 0.00
Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network.
- risk 0.65cvss 8.1epss 0.06
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
- risk 0.65cvss 10.0epss 0.01
Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.
- risk 0.65cvss 10.0epss 0.01
Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.
- risk 0.65cvss 10.0epss 0.01
Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- risk 0.65cvss 10.0epss 0.01
Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a network.
- risk 0.65cvss 10.0epss 0.01
Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.
- risk 0.65cvss 10.0epss 0.01
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.
- risk 0.65cvss 10.0epss 0.01
Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
- risk 0.65cvss 10.0epss 0.01
Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network.
- risk 0.65cvss 7.5epss 1.00
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- risk 0.65cvss 9.8epss 0.21
A remote code execution vulnerability exists in PowerShell Editor Services, aka "PowerShell Editor Services Remote Code Execution Vulnerability." This affects PowerShell Editor, PowerShell Extension.
- risk 0.65cvss 9.8epss 0.22
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka "Microsoft Exchange Memory Corruption Vulnerability." This affects Microsoft Exchange Server. This CVE ID is unique from CVE-2018-8151.
- risk 0.65cvss 8.8epss 0.61
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption, aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability." This affects Windows Defender,…
- risk 0.65cvss 9.8epss 0.19
A remote code execution vulnerability exists when Microsoft scripting engine improperly accesses objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully…
- risk 0.65cvss 8.8epss 0.57
Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Uniscribe Remote Code Execution Vulnerability." This vulnerability is different from those described in…
- risk 0.65cvss 8.8epss 0.57
Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge Memory Corruption Vulnerability."
- risk 0.65cvss 9.8epss 0.22
Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 mishandles signature validation for unspecified elements of XML documents, which allows remote attackers to spoof signatures via a modified document, aka ".NET XML Validation Security Feature Bypass."
- risk 0.65cvss 9.8epss 0.14
Heap-based buffer overflow in an API in GDI in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows context-dependent attackers to cause a denial of service or execute arbitrary code via a WMF file with a malformed…
- risk 0.65cvss 8.8epss 0.64
Integer overflow in Microsoft Internet Explorer 6 on Windows XP SP2 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a 0x7fffffff argument to the setSlice method on a WebViewFolderIcon ActiveX object, which leads to an invalid memory…
- risk 0.64cvss 9.8epss 0.01
External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.22
Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.15
Use after free in Windows Kernel allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.01
Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.00
SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file…
- risk 0.64cvss 9.9epss 0.01
Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.
- risk 0.64cvss 9.9epss 0.01
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
- risk 0.64cvss 9.9epss 0.01
Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
- risk 0.64cvss 9.8epss 0.02
Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.72
Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.9epss 0.01
Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.01
Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and…
- risk 0.64cvss 9.9epss 0.01
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
- risk 0.64cvss 9.8epss 0.56
Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.01
Improper neutralization of special elements used in a command ('command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.01
Improper neutralization of special elements used in an os command ('os command injection') in Microsoft Bing Images allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.06
Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 7.8epss 0.05
Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.
- risk 0.64cvss 9.8epss 0.07
Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.07
A Security Feature Bypass vulnerability exists in MSR JavaScript Cryptography Library that is caused by incorrect arithmetic computations, aka "MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability." This affects Microsoft Research JavaScript Cryptography…
- risk 0.64cvss 9.8epss 0.06
Device Guard in Windows 10 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows a security feature bypass vulnerability due to the way untrusted files are handled, aka "Microsoft Windows Security Feature Bypass Vulnerability".
- risk 0.64cvss 8.8epss 0.50
Windows graphics on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, Windows Server 2016, Microsoft Office Word Viewer, Microsoft Office 2007 Service Pack 3 , and…
- risk 0.64cvss 8.8epss 0.43
Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Uniscribe Remote Code Execution Vulnerability." This vulnerability is different from those described in…
- risk 0.64cvss 8.8epss 0.42
Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Windows Uniscribe Remote Code Execution Vulnerability."
Page 4 of 284