Microsoft Makers of the Windows Operating System and hundreds of products that run on it.
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Microsoft product.
RSS Feeds for Microsoft security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Microsoft products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Microsoft Sorted by Most Security Vulnerabilities since 2018
Recent Microsoft Security Advisories
| Advisory | Title | Published |
|---|---|---|
| CVE-2026-40467 | CVE-2026-40467 Use after free in gawk | July 14, 2026 |
| CVE-2026-40468 | CVE-2026-40468 Heap buffer overflow in gawk | July 14, 2026 |
| CVE-2026-40469 | CVE-2026-40469 Heap buffer overflow in gawk | July 14, 2026 |
| CVE-2026-40553 | CVE-2026-40553 Stack-based buffer overflow in gawk | July 14, 2026 |
| CVE-2026-59874 | CVE-2026-59874 node-tar: Negative tar entry size causes infinite loop in archive replace | July 12, 2026 |
| CVE-2026-59873 | CVE-2026-59873 node-tar: Decompression/parse DoS via unlimited input | July 12, 2026 |
| CVE-2026-59871 | CVE-2026-59871 node-tar: Process crash via PAX numeric path type confusion | July 12, 2026 |
| CVE-2026-15308 | CVE-2026-15308 Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations | July 12, 2026 |
| CVE-2026-14428 | Chromium: CVE-2026-14428 Insufficient validation of untrusted input in Dawn | July 11, 2026 |
| CVE-2026-14382 | Chromium: CVE-2026-14382 Insufficient validation of untrusted input in ANGLE | July 11, 2026 |
Known Exploited Microsoft Vulnerabilities
The following Microsoft vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability |
Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network. CVE-2026-45659 Exploit Probability: 1.7% |
July 1, 2026 |
| Microsoft Internet Explorer Use-After-Free Vulnerability |
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. CVE-2010-0249 Exploit Probability: 91.9% |
May 20, 2026 |
| Microsoft Windows Buffer Overflow Vulnerability |
Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request that triggers an overflow during path canonicalization. CVE-2008-4250 Exploit Probability: 98.8% |
May 20, 2026 |
| Microsoft Defender Denial of Service Vulnerability |
Microsoft Defender contains an unspecified vulnerability that allows for denial of service. CVE-2026-45498 Exploit Probability: 2.5% |
May 20, 2026 |
| Microsoft DirectX NULL Byte Overwrite Vulnerability |
Microsoft DirectX contains a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow which could allow remote attackers to execute arbitrary code via a crafted QuickTime media file. CVE-2009-1537 Exploit Probability: 50.9% |
May 20, 2026 |
| Microsoft Internet Explorer Use-After-Free Vulnerability |
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization. CVE-2010-0806 Exploit Probability: 82.2% |
May 20, 2026 |
| Microsoft Defender Link Following Vulnerability |
Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally. CVE-2026-41091 Exploit Probability: 1.2% |
May 20, 2026 |
| Microsoft Exchange Server Cross-Site Scripting Vulnerability |
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context. CVE-2026-42897 Exploit Probability: 2.5% |
May 15, 2026 |
| Microsoft Windows Protection Mechanism Failure Vulnerability |
Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network. CVE-2026-32202 Exploit Probability: 20.0% |
April 28, 2026 |
| Microsoft Defender Insufficient Granularity of Access Control Vulnerability |
Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally. CVE-2026-33825 Exploit Probability: 6.2% |
April 22, 2026 |
| Microsoft Office Remote Code Execution |
Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object. CVE-2009-0238 Exploit Probability: 43.1% |
April 14, 2026 |
| Microsoft SharePoint Server Improper Input Validation Vulnerability |
Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network. CVE-2026-32201 Exploit Probability: 24.2% |
April 14, 2026 |
| Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability |
Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution. CVE-2023-21529 Exploit Probability: 62.1% |
April 13, 2026 |
| Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability |
Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution. CVE-2012-1854 Exploit Probability: 21.0% |
April 13, 2026 |
| Microsoft Windows Link Following Vulnerability |
Microsoft Windows contains a link following vulnerability that allows for privilege escalation CVE-2025-60710 Exploit Probability: 4.6% |
April 13, 2026 |
| Microsoft Windows Out-of-Bounds Read Vulnerability |
Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation CVE-2023-36424 Exploit Probability: 12.2% |
April 13, 2026 |
| Microsoft SharePoint Deserialization of Untrusted Data Vulnerability |
Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network. CVE-2026-20963 Exploit Probability: 31.1% |
March 18, 2026 |
| Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability |
Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. CVE-2008-0015 Exploit Probability: 76.6% |
February 17, 2026 |
| Microsoft Configuration Manager SQL Injection Vulnerability |
Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database. CVE-2024-43468 Exploit Probability: 60.7% |
February 12, 2026 |
| Microsoft Internet Explorer Protection Mechanism Failure Vulnerability |
Microsoft Internet Explorer contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. CVE-2026-21513 Exploit Probability: 15.4% |
February 10, 2026 |
Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 8 known exploited Microsoft vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest Microsoft Vulnerabilities
Based on the current exploit probability, these Microsoft vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2021-34473 | 100.0% | Microsoft Exchange Server Remote Code Execution Vulnerability |
| 2 | CVE-2021-26855 | 100.0% | Microsoft OWA Exchange Control Panel (ECP) Exploit Chain |
| 3 | CVE-2019-0708 | 100.0% | "BlueKeep" Microsoft Windows Remote Desktop Remote Code Execution Vulnerability |
| 4 | CVE-2015-1635 | 100.0% | Microsoft HTTP.sys Remote Code Execution Vulnerability |
| 5 | CVE-2021-34523 | 100.0% | Microsoft Exchange Server Privilege Escalation Vulnerability |
| 6 | CVE-2025-53770 | 100.0% | Microsoft SharePoint Deserialization of Untrusted Data Vulnerability |
| 7 | CVE-2012-0158 | 100.0% | Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability |
| 8 | CVE-2020-0688 | 100.0% | Microsoft Exchange Server Key Validation Vulnerability |
| 9 | CVE-2022-41082 | 100.0% | Microsoft Exchange Server Remote Code Execution Vulnerability |
| 10 | CVE-2025-59287 | 100.0% | Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability |
By the Year
In 2026 there have been 3845 vulnerabilities in Microsoft with an average score of 7.2 out of ten. Last year, in 2025 Microsoft had 2750 security vulnerabilities published. That is, 1095 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.14.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 3845 | 7.22 |
| 2025 | 2750 | 7.08 |
| 2024 | 2182 | 7.33 |
| 2023 | 1695 | 7.22 |
| 2022 | 1389 | 7.43 |
| 2021 | 1153 | 7.44 |
| 2020 | 1253 | 7.20 |
| 2019 | 831 | 7.08 |
| 2018 | 661 | 7.03 |
It may take a day or so for new Microsoft vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Microsoft Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-40553 | Jul 13, 2026 |
gawk <5.4.0 Buffer Overflow (ftype)Buffer overflow vulnerability has been found in "extension/readdir.c" program file of gawk (ftype() routine). This issue could be used to crash the program and potentially to achieve code execution, although the latter has not been confirmed to be feasible. It affects gawk in versions 5.4.0 and below. |
|
| CVE-2026-40469 | Jul 13, 2026 |
Integer Overflow in Builtin.c of gawk 5.4.0 (32bit)Integer overflow vulnerability has been found in "builtin.c" program file of gawk (do_sub() routine). This issue could be used to overwrite gawk heap metadata and objects causing the program to crash. It affects 32-bit builds of gawk in versions 5.4.0 and below. |
|
| CVE-2026-40468 | Jul 13, 2026 |
gawk Integer Overflow in builtin.c (<=5.4.0)Integer overflow vulnerability has been found in "builtin.c" program file of gawk. This issue may lead to memory exhaustion on the hosting operating system and could be used to overwrite gawk heap metadata and objects with attacker-controlled bytes. It affects gawk in versions 5.4.0 and below. |
|
| CVE-2026-40467 | Jul 13, 2026 |
Gawk Use After Free in io.c (do_getline_redir) - Before 5.4.0Use After Free vulnerability has been found in "io.c" program file of gawk (do_getline_redir() routine). This issue may lead to a crash. It affects gawk in versions 5.4.0 and below. |
|
| CVE-2026-58596 | Jul 12, 2026 |
Jul 2026: Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityUntrusted pointer dereference in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network. |
|
| CVE-2026-58281 | Jul 11, 2026 |
Jul 2026: Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityDeserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. |
|
| CVE-2026-14461 | Jul 10, 2026 |
mtr 0.96 OOB Read in ipinfo_lookup() via DNS TXTmtr is vulnerable to Out-of-bound read vulnerability in ipinfo_lookup() function. An attacker who can influence the TXT response used for AS lookups can trigger this bug by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME field. ipinfo_lookup() function uses the length of the response as the end-of-message boundary for dn_expand() function. The result is a reliable crash. This issue exists in the mtr through version 0.96 and it was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3. |
|
| CVE-2026-59856 | Jul 09, 2026 |
Vim 9.2.0736 PHP Omni-Completion Open Shell via win_executeVim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736. |
|
| CVE-2026-15308 | Jul 09, 2026 |
CPython <3.16 CPU DoS via Unterminated Markup in html.parser.HTMLParserThe incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data. |
|
| CVE-2026-56289 | Jul 09, 2026 |
DoS in GNU Patch via Unrealistic Hunk OffsetsGNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input. A specially crafted patch can specify an extremely large line number, causing the application to enter an effectively infinite processing loop while attempting to locate the requested position. This results in excessive CPU consumption and prevents the process from completing. An attacker can trigger this behavior by supplying a malicious patch file, causing the utility to become unresponsive and require manual termination. This issue has been fixed in the commit faba04ef4f2b410257f76c1b9dc85e350929c4b9 |
|
| CVE-2026-56288 | Jul 09, 2026 |
Null Pointer Dereference in GNU Patch (CVE-2026-56288)GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing. An attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service. This issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313 |
|
| CVE-2026-47646 | Jul 08, 2026 |
Jul 2026: Dynamics 365 Customer Voice Spoofing VulnerabilityImproper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Customer Voice allows an unauthorized attacker to perform spoofing over a network. |
|
| CVE-2026-59818 | Jul 08, 2026 |
Etcd gRPC Auth Bypass: CRL Not Enforced up to v3.6.13 or <3.5.32etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the gRPC listener, allowing a client with a revoked certificate to authenticate successfully over gRPC. This issue is fixed in versions 3.5.32 and 3.6.13. |
|
| CVE-2026-58525 | Jul 08, 2026 |
Jul 2026: Microsoft Edge (Chromium-based) Security Feature Bypass VulnerabilityImproper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. |
|
| CVE-2026-58208 | Jul 08, 2026 |
NATS Server WebSocket MQTT Crash (Unauthenticated) 2.12.12-2.14.2NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with access to the WebSocket listener to reach uninitialized MQTT state and crash the server process. This issue is fixed in versions 2.14.3 and 2.12.12. |
|
| CVE-2026-58207 | Jul 08, 2026 |
NATS Server 2.12/2.14 Crash from Connz Pagination OverflowNATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests could crash the server by supplying Connz pagination Offset and Limit values that overflowed internal arithmetic before the response window was safely bounded. This issue is fixed in versions 2.14.3 and 2.12.12. |
|
| CVE-2026-58209 | Jul 08, 2026 |
NATS Server MQTT Topic Bypass: Deny Rules Not Enforced (v<2.12.12, v<2.14.3)NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, MQTT retained message delivery and QoS1+ durable replay could deliver messages whose original topics matched a subscriber configured subscribe deny rule because these delivery paths did not consistently recheck the concrete original topic before sending the MQTT PUBLISH to the subscriber. This issue is fixed in versions 2.14.3 and 2.12.12. |
|
| CVE-2026-58250 | Jul 08, 2026 |
NATS Server <2.12.8 / <2.11.17: Unauth Peer Crash via Leafnode INFONATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by sending repeated leafnode INFO protocol messages before authentication and account setup completed. This issue is fixed in versions 2.12.8 and 2.11.17. |
|
| CVE-2026-58252 | Jul 08, 2026 |
NATS Server <=2.11.16 Auth User Bypass Denied Subject via Wildcard SubNATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it, and queue subscriptions could also affect delivery to legitimate queue consumers. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16. |
|
| CVE-2026-58253 | Jul 08, 2026 |
NATS Server NO_AUTH Bypass before 2.11.16NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when no_auth_user was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an unauthenticated peer to bypass inter-server CONNECT authentication and operate with the privileges associated with that connection type. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16. |
|
| CVE-2026-58251 | Jul 08, 2026 |
NATS Server 2.11.x Queue Sub Deny BypassNATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny evaluation could override the plain subject deny result when the queue name itself was not denied. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16. |
|
| CVE-2026-59928 | Jul 08, 2026 |
Python Mistune <3.3.0 DoS via quadratic ref link parsingMistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0. |
|
| CVE-2026-59925 | Jul 08, 2026 |
Misuse of Double/Triple Asterisk Emphasis in Mistune 3.2.9 Leads to DOSMistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0. |
|
| CVE-2026-59926 | Jul 08, 2026 |
Python Mistune <3.2.1 Admonition: unescaped :class: leads to XSS in HTMLRendererMistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1. |
|
| CVE-2026-59930 | Jul 08, 2026 |
Mistune <3.3.0 ID Collision via TOC Plugin Allows Same-Page RedirectMistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N values without slugifying the heading text, allowing attacker-controlled id="toc_N" content to collide with generated anchors and redirect same-page navigation, CSS selectors, or JavaScript handlers. This issue is fixed in version 3.3.0. |
|
| CVE-2026-59922 | Jul 08, 2026 |
CVE-2026-59922: Mistune DDoS via Quadratic Work in Markup Parser <3.3.0Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0. |
|
| CVE-2026-59890 | Jul 08, 2026 |
setuptools <83 FileList Unicode normalization bypass (CVE-2026-59890)setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Prior to 83.0.0, FileList applied MANIFEST.in exclude, global-exclude, recursive-exclude, and prune directives by matching compiled glob patterns against on-disk file names without Unicode normalization, so on macOS APFS or HFS+ an NFD file name could bypass an NFC exclusion rule and be packed into a source distribution. This issue is fixed in version 83.0.0. |
|
| CVE-2026-59871 | Jul 08, 2026 |
Node-tar <7.5.18 PAX Path Coercion Causing Uncaught TypeErrornode-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handling such as normalizeWindowsPath(entry.path).split('/') to throw an uncaught TypeError. This issue is fixed in version 7.5.18. |
|
| CVE-2026-59874 | Jul 08, 2026 |
node-tar 7.5.18: tar.replace Negative Size Header Infinite Loopnode-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18. |
|
| CVE-2026-59873 | Jul 08, 2026 |
Disk Exhaustion via Gzip Bomb in node-tar <7.5.19node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk space and CPU. This issue is fixed in version 7.5.19. |
|
| CVE-2026-59869 | Jul 08, 2026 |
js-yaml Quadratic CPU DoS via Merge Keys before 3.15/4.3js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0. |
|
| CVE-2026-56003 | Jul 08, 2026 |
libXfont2 <2.0.8: Heap BOV in ComputeScaledProperties PCF parsingA heap buffer overflow due to missing size checking in the property buffer when parsing PCF files in libXfont2 ComputeScaledProperties() before libXfont2 before 2.0.8 could be used by attackers using authenticated X clients to execute code within the X server. |
|
| CVE-2026-56002 | Jul 08, 2026 |
libXfont2 heap buffer overflow in pcfReadFont() before 2.0.8 (X exec)A heap bufferflow in pcfReadFont() due to missing glyph bounds checking in libXfont2 before 2.0.8 allows attackers authenticated as X client to execute code within the X server. |
|
| CVE-2026-56001 | Jul 08, 2026 |
Heap Buffer Overflow in libXfont2 <2.0.8 (BitmapScaleBitmaps) X Server RCEA heap buffer overflow in BitmapScaleBitmaps in libXfont2 before 2.0.8 due to an overflowing 32bit size could be used by attackers able to access the X Server to execute code within the X server cont |
|
| CVE-2026-55999 | Jul 08, 2026 |
Local Heap Overflow via PCX Font in Xorg-Server <21.2.24 (SetFont)Local attackers with a X connection able to provide PCX fonts to the X server xorg-server before 21.2.24 and xwayland before 24.1.13 could cause a heap buffer overflow via SetFont due to missing glyph boundary checks. |
|
| CVE-2026-56000 | Jul 08, 2026 |
Heap UAF in xorg-server/xwayland <21.2.24/24.1.13 via GLX commitLocal attackers with a X connection able to provide GLX commit to the X server xorg-server before 21.2.24 and xwayland before 24.1.13 could cause a Heap Use After Free, due to CommonMakeCurrent() pointing into potentially reallocated memory. |
|
| CVE-2026-60002 | Jul 08, 2026 |
OpenSSH <=10.3 Use-After-Free via Host Key Change (ssh)ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.) |
|
| CVE-2026-60001 | Jul 08, 2026 |
OpenSSH sshd min auth delay bypass before 10.4sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay. |
|
| CVE-2026-60000 | Jul 08, 2026 |
OpenSSH <10.4 GSSAPI MaxAuthTries DoSsshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication. |
|
| CVE-2026-59999 | Jul 08, 2026 |
OpenSSH<10.4 DisableForwarding fails to block PermitTunnelIn sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not. |
|
| CVE-2026-59998 | Jul 08, 2026 |
OpenSSH sshd GSSAPIStrictAcceptorCheck Misconfig Pre-10.4 on ADsshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory. |
|
| CVE-2026-59997 | Jul 08, 2026 |
OpenSSH <=10.3 internal-sftp accepts only first 9 argsinternal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection. |
|
| CVE-2026-59996 | Jul 08, 2026 |
OpenSSH <10.4 SCP Path Traversal Remote Files Pushed to Parent Directoryscp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations. |
|
| CVE-2026-59995 | Jul 08, 2026 |
OpenSSH SFTP Server Path Constraint Flaw <10.4sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server. |
|
| CVE-2026-14740 | Jul 07, 2026 |
DBI 1.649 OOB Read in preparse during comment deletionDBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byte. The result is a fault on memory-hardened builds and nondeterministic newline retention on normal builds. |
|
| CVE-2026-14739 | Jul 07, 2026 |
Perl DBI <1.650 Heap Overflow via Excessive SQL PlaceholdersDBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders. The fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders. DBI version 1.650 sets a hard limit of 99,999 placeholders. |
|
| CVE-2026-14380 | Jul 07, 2026 |
DBI <1.650 Code Exec via Caller-Influenced ProfileDBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name. Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands. The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db. An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host. |
|
| CVE-2026-14647 | Jul 04, 2026 |
onnxruntime OOB Read via convPoolShapeInference_opset19 (<=1.21.x)A weakness has been identified in onnx up to 1.21.x. This vulnerability affects the function convPoolShapeInference_opset19 of the file onnx/defs/nn/old.cc of the component onnxruntime. This manipulation causes out-of-bounds read. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Patch name: a7bf3a0f1d18bb62575236ef6e4944980c40e045. It is recommended to apply a patch to fix this issue. |
|
| CVE-2026-53359 | Jul 04, 2026 |
Linux KVM x86 Shadow Paging UAF via Role MismatchIn the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected role Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs; the bug could be triggered by changing a PDE mapping from outside the guest, and then deleting a memslot. The rmap_remove() call would miss entries created after the PDE change because the GFN of the leaf SPTE does not match the GFN of the struct kvm_mmu_page. A similar hole however remains if the modified PDE points to a non-leaf page. In this case the gfn can be made to match, but the role does not match: the original large 2MB page creates a kvm_mmu_page with direct=1, while the new 4KB needs a kvm_mmu_page with direct=0. However, kvm_mmu_get_child_sp() does not compare the role, and therefore reuses the page. The next step is installing a leaf (4KB) SPTE on the new path which records an rmap entry under the gfn resolved by the walk. But when that child is zapped its parent kvm_mmu_page has direct=1 and kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[] in older kernels). It therefore fails to remove the recorded entry. When the memslot is dropped the shadow page is freed but the rmap entry survives, as in the scenario that was already fixed. Code that later walks that gfn (dirty logging, MMU notifier invalidation, and so on) dereferences an sptep that lies in the freed page, causing the use-after-free. |
|
| CVE-2026-58523 | Jul 03, 2026 |
Jul 2026: Microsoft Edge for Android Security Feature Bypass VulnerabilityImproper access control in Microsoft Edge for Android allows an unauthorized attacker to bypass a security feature over a network. |
|