Microsoft Makers of the Windows Operating System and hundreds of products that run on it.
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Microsoft product.
RSS Feeds for Microsoft security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Microsoft products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Microsoft Sorted by Most Security Vulnerabilities since 2018
Recent Microsoft Security Advisories
| Advisory | Title | Published |
|---|---|---|
| CVE-2026-7246 | CVE-2026-7246 Pallets Click contains a command injection via Unsanitized Filename "click.edit()" | May 19, 2026 |
| CVE-2026-5773 | CVE-2026-5773 wrong reuse of SMB connection | May 19, 2026 |
| CVE-2026-7168 | CVE-2026-7168 cross-proxy Digest auth state leak | May 19, 2026 |
| CVE-2026-6253 | CVE-2026-6253 proxy credentials leak over redirect-to proxy | May 19, 2026 |
| CVE-2026-6429 | CVE-2026-6429 netrc credential leak with reused proxy connection | May 19, 2026 |
| CVE-2026-4873 | CVE-2026-4873 connection reuse ignores TLS requirement | May 19, 2026 |
| CVE-2026-6276 | CVE-2026-6276 stale custom cookie host causes cookie leak | May 19, 2026 |
| CVE-2026-31702 | CVE-2026-31702 f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() | May 19, 2026 |
| CVE-2026-31704 | CVE-2026-31704 ksmbd: use check_add_overflow() to prevent u16 DACL size overflow | May 19, 2026 |
| CVE-2026-31721 | CVE-2026-31721 usb: gadget: f_hid: move list and spinlock inits from bind to alloc | May 19, 2026 |
Known Exploited Microsoft Vulnerabilities
The following Microsoft vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Microsoft Exchange Server Cross-Site Scripting Vulnerability |
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context. CVE-2026-42897 |
May 15, 2026 |
| Microsoft Windows Protection Mechanism Failure Vulnerability |
Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network. CVE-2026-32202 |
April 28, 2026 |
| Microsoft Defender Insufficient Granularity of Access Control Vulnerability |
Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally. CVE-2026-33825 |
April 22, 2026 |
| Microsoft Office Remote Code Execution |
Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object. CVE-2009-0238 Exploit Probability: 74.9% |
April 14, 2026 |
| Microsoft SharePoint Server Improper Input Validation Vulnerability |
Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network. CVE-2026-32201 |
April 14, 2026 |
| Microsoft Windows Out-of-Bounds Read Vulnerability |
Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation CVE-2023-36424 Exploit Probability: 10.9% |
April 13, 2026 |
| Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability |
Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution. CVE-2012-1854 Exploit Probability: 4.6% |
April 13, 2026 |
| Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability |
Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution. CVE-2023-21529 Exploit Probability: 31.8% |
April 13, 2026 |
| Microsoft Windows Link Following Vulnerability |
Microsoft Windows contains a link following vulnerability that allows for privilege escalation CVE-2025-60710 Exploit Probability: 29.9% |
April 13, 2026 |
| Microsoft SharePoint Deserialization of Untrusted Data Vulnerability |
Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network. CVE-2026-20963 Exploit Probability: 5.3% |
March 18, 2026 |
| Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability |
Microsoft Windows Video ActiveX Control contains a remote code execution vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. CVE-2008-0015 Exploit Probability: 81.6% |
February 17, 2026 |
| Microsoft Configuration Manager SQL Injection Vulnerability |
Microsoft Configuration Manager contains an SQL injection vulnerability. An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database. CVE-2024-43468 Exploit Probability: 83.1% |
February 12, 2026 |
| Microsoft Windows Shell Protection Mechanism Failure Vulnerability |
Microsoft Windows Shell contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. CVE-2026-21510 Exploit Probability: 4.0% |
February 10, 2026 |
| Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability |
Microsoft Office Word contains a reliance on untrusted inputs in a security decision vulnerability that could allow an authorized attacker to elevate privileges locally. CVE-2026-21514 Exploit Probability: 4.5% |
February 10, 2026 |
| Microsoft Windows NULL Pointer Dereference Vulnerability |
Microsoft Windows Remote Access Connection Manager contains a NULL pointer dereference that could allow an unauthorized attacker to deny service locally. CVE-2026-21525 Exploit Probability: 9.4% |
February 10, 2026 |
| Microsoft Internet Explorer Protection Mechanism Failure Vulnerability |
Microsoft Internet Explorer contains a protection mechanism failure vulnerability that could allow an unauthorized attacker to bypass a security feature over a network. CVE-2026-21513 Exploit Probability: 31.0% |
February 10, 2026 |
| Microsoft Windows Improper Privilege Management Vulnerability |
Microsoft Windows Remote Desktop Services contains an improper privilege management vulnerability that could allow an authorized attacker to elevate privileges locally. CVE-2026-21533 Exploit Probability: 20.2% |
February 10, 2026 |
| Microsoft Windows Type Confusion Vulnerability |
Microsoft Desktop Windows Manager contains a type confusion vulnerability that could allow an authorized attacker to elevate privileges locally. CVE-2026-21519 Exploit Probability: 4.5% |
February 10, 2026 |
| Microsoft Office Security Feature Bypass Vulnerability |
Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. CVE-2026-21509 Exploit Probability: 12.5% |
January 26, 2026 |
| Microsoft Windows Information Disclosure Vulnerability |
Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally. CVE-2026-20805 Exploit Probability: 3.4% |
January 13, 2026 |
Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 5 known exploited Microsoft vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest Microsoft Vulnerabilities
Based on the current exploit probability, these Microsoft vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2019-0708 | 94.5% | "BlueKeep" Microsoft Windows Remote Desktop Remote Code Execution Vulnerability |
| 2 | CVE-2017-7269 | 94.4% | Microsft Windows Server 2003 R2 IIS WEBDAV buffer overflow Remote Code Execution vulnerability (COVI |
| 3 | CVE-2019-0604 | 94.4% | Microsoft SharePoint Remote Code Execution Vulnerability |
| 4 | CVE-2020-0796 | 94.4% | Microsoft SMBv3 Remote Code Execution Vulnerability |
| 5 | CVE-2021-38647 | 94.4% | Microsoft Azure Open Management Infrastructure (OMI) Remote Code Execution Vulnerability |
| 6 | CVE-2020-0688 | 94.4% | Microsoft Exchange Server Key Validation Vulnerability |
| 7 | CVE-2020-1472 | 94.4% | NetLogon Privilege Escalation Vulnerability |
| 8 | CVE-2023-29357 | 94.4% | Microsoft SharePoint Server Privilege Escalation Vulnerability |
| 9 | CVE-2017-11882 | 94.4% | Microsoft Office memory corruption vulnerability |
| 10 | CVE-2021-26855 | 94.3% | Microsoft OWA Exchange Control Panel (ECP) Exploit Chain |
By the Year
In 2026 there have been 2118 vulnerabilities in Microsoft with an average score of 7.2 out of ten. Last year, in 2025 Microsoft had 2740 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Microsoft in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.12.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2118 | 7.21 |
| 2025 | 2740 | 7.09 |
| 2024 | 2181 | 7.34 |
| 2023 | 1695 | 7.22 |
| 2022 | 1389 | 7.43 |
| 2021 | 1153 | 7.44 |
| 2020 | 1253 | 7.20 |
| 2019 | 831 | 7.08 |
| 2018 | 661 | 7.03 |
It may take a day or so for new Microsoft vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Microsoft Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-42822 | May 18, 2026 |
May 2026: Azure Local Disconnected Operations (ALDO) Elevation of Privilege VulnerabilityImproper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network. |
Azure Resource Manager
Azure Local
|
| CVE-2026-45494 | May 18, 2026 |
May 2026: Microsoft Edge (Chromium-based) Spoofing VulnerabilityMicrosoft Edge (Chromium-based) Spoofing Vulnerability |
Edge Chromium
|
| CVE-2026-45495 | May 18, 2026 |
May 2026: Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityMicrosoft Edge (Chromium-based) Remote Code Execution Vulnerability |
Edge Chromium
|
| CVE-2026-45492 | May 18, 2026 |
May 2026: Microsoft Edge (Chromium-based) Security Feature Bypass VulnerabilityImproper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. |
Edge Chromium
|
| CVE-2026-46383 | May 15, 2026 |
May 2026: Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing inMicrosoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install <bundle> on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a legacy --format apm bundle. On Python versions earlier than 3.12, that probe extracts untrusted tar members with raw tar.extractall() without rejecting Windows absolute member names such as D:/.... This vulnerability is fixed in 0.13.0. |
|
| CVE-2026-45539 | May 15, 2026 |
May 2026: Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project's deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0. |
|
| CVE-2026-44641 | May 15, 2026 |
May 2026: Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host fileMicrosoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install. This vulnerability is fixed in 0.8.12. |
|
| CVE-2026-46483 | May 15, 2026 |
Command Injection in Vim tar.vim before 9.2.0479Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag, allowing a crafted archive filename to trigger Vim cmdline-special expansion and execute shell commands in the user's context. This vulnerability is fixed in 9.2.0479. |
|
| CVE-2026-46333 | May 15, 2026 |
Linux kernel: ptrace dumpability logic flawIn the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override. |
|
| CVE-2026-43490 | May 15, 2026 |
Linux kernel ksmbd ACE SID length validation flawIn the Linux kernel, the following vulnerability has been resolved: ksmbd: validate inherited ACE SID length smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE. A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer. Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size. |
|
| CVE-2025-54518 | May 15, 2026 |
AMD Zen 2 CPU: Shared cache isolation flaw enables privilege escalationImproper isolation of shared resources within the CPU operation cache on Zen 2-based products could allow an attacker to corrupt instructions executed at a different privilege level, potentially resulting in privilege escalation. |
|
| CVE-2026-44673 | May 14, 2026 |
libyang <5.2.15 LYB parser heap overflowlibyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15. |
|
| CVE-2026-44662 | May 14, 2026 |
Heap OOB in Rust OpenSSL bindings <0.10.79 for AES key-wrap pad ciphersrust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.0 to before 0.10.79, CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced. This only impacts users using AES key-wrap-with-padding ciphers. This vulnerability is fixed in 0.10.79. |
|
| CVE-2026-44283 | May 14, 2026 |
etcd RBAC Bypass via PrevKv/Lease in Tx Ops (3.4.43,3.5.29,3.6.10)etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11. |
|
| CVE-2026-41615 | May 14, 2026 |
May 2026: Microsoft Authenticator Information Disclosure VulnerabilityExposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network. |
Authenticator
Authenticator For Ios
|
| CVE-2026-42897 | May 14, 2026 |
May 2026: Microsoft Exchange Server Spoofing VulnerabilityImproper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. |
Exchange Server 2016
Exchange Server 2019
Exchange Server Se
And others... |
| CVE-2026-44503 | May 14, 2026 |
May 2026: Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-hostThe RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target. |
|
| CVE-2026-6638 | May 14, 2026 |
PostgreSQL <18.4,<17.10,<16.14: SQLi via ALTER SUBSCRIPTION REFRESH PUBLICATIONSQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected. |
|
| CVE-2026-6637 | May 14, 2026 |
PostgreSQL refint stack buffer overflow, <= 18.4Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. |
|
| CVE-2026-6479 | May 14, 2026 |
PostgreSQL Recursion CVE-2026-6479: SSL/GSS DoS pre-18.4,17.10,16.14,15.18,14.23Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. |
|
| CVE-2026-6478 | May 14, 2026 |
PostgreSQL MD5 Timing Channel CVE-2026-6478 (v<18.4/17.10/16.14/15.18/14.23)Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. |
|
| CVE-2026-6477 | May 14, 2026 |
PostgreSQL libpq PQfn buffer overflow in lo_* before 18.4, 17.10, 16.14, 15.18Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. |
|
| CVE-2026-6475 | May 14, 2026 |
PostgreSQL pg_basebackup/pg_rewind SYMLINK overwrite <=18.4/17.10/16.14/15.18/14.23Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. |
|
| CVE-2026-6474 | May 14, 2026 |
PostgreSQL timeofday() FS Vulnerability (pre-18.4,17.10,16.14,15.18,14.23)Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. |
|
| CVE-2026-6473 | May 14, 2026 |
PostgreSQL <18.4 OOB Integer Wraparound Undersize AllocationInteger wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. |
|
| CVE-2026-6472 | May 14, 2026 |
PostgreSQL 18.4+ Missing Auth in CREATE TYPE (search_path hijack)Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected. |
|
| CVE-2026-8295 | May 14, 2026 |
Integer Overflow in simdjson 4.x string_builder on 32-bit buildsAn integer overflow vulnerability in the simdjson document-builder API allows incorrect buffer size calculations in "string_builder::escape_and_append()" when processing very large input strings on platforms with limited "size_t" width (e.g., 32-bit builds). The overflow can cause insufficient buffer allocation, leading to out-of-bounds memory reads in SIMD routines and potentially resulting in information disclosure, memory corruption, or malformed JSON output. This vulnerability has been fixed in 4.6.4 release |
|
| CVE-2026-42304 | May 13, 2026 |
Twisted <26.4rc2: DoS via DNS decompression pointer chainTwisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2. |
|
| CVE-2026-8328 | May 13, 2026 |
Python CPython ftplib ftpcp CVE-2026-8328: Unpatched PASV IP Leak (pre-3.15)The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. |
|
| CVE-2026-44431 | May 13, 2026 |
urllib3 1.232.6.x Sensitive Header Leak via ProxyManager (CVE202644431)urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0. |
|
| CVE-2026-40460 | May 13, 2026 |
NGINX HTTP/3 QUIC IP Spoofing for Auth / Rate Limiting BypassWhen NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-42946 | May 13, 2026 |
NGINX SCGI/UWSGI Modules Excessive Memory Allocation via MITMA vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-42945 | May 13, 2026 |
Heap Buffer Overflow in NGINX ngx_http_rewrite_module via PCRE CaptureNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-40701 | May 13, 2026 |
NGINX Heap UAF via ssl_verify_client/ssl_ocsp in ngx_http_ssl_moduleNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can send requests along with conditions beyond its control that may cause a heap-use-after-free error in the NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker process restarting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-42934 | May 13, 2026 |
NGINX ngx_http_charset_module Heap Buffer Over-read in Worker ProcessNGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
| CVE-2026-7168 | May 13, 2026 |
libcurl Proxy Digest Auth Header Leak on Handle ReuseSuccessfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`. |
|
| CVE-2026-6429 | May 13, 2026 |
CURL libcurl HTTP Redirect Password Leak via .netrcWhen asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. |
|
| CVE-2026-6276 | May 13, 2026 |
Stale Host Header Causes Cookie Leakage in libcurlUsing libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them. |
|
| CVE-2026-6253 | May 13, 2026 |
Curl Credential Leak via Proxy Chain Redirectcurl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy |
|
| CVE-2026-5773 | May 13, 2026 |
libcurl SMB Connection Reuse flaw leads to wrong file transferlibcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same. |
|
| CVE-2026-5545 | May 13, 2026 |
libcurl Auth Credential Leak via Connection Reuselibcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1... |
|
| CVE-2026-4873 | May 13, 2026 |
curl TLS Reuse Vulnerability: Cleartext LeakA vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted. |
|
| CVE-2026-33821 | May 12, 2026 |
May 2026: Microsoft Dynamics 365 Customer Insights Elevation of Privilege VulnerabilityImproper privilege management in Microsoft Dynamics 365 Customer Insights allows an authorized attacker to elevate privileges over a network. |
Dynamics 365
|
| CVE-2026-42893 | May 12, 2026 |
May 2026: Microsoft Outlook for iOS Tampering VulnerabilityImproper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network. |
Outlook
|
| CVE-2026-42838 | May 12, 2026 |
May 2026: Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImproper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network. |
Edge Chromium
|
| CVE-2026-40416 | May 12, 2026 |
May 2026: Microsoft Edge (Chromium-based) for Android Spoofing VulnerabilityUser interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. |
Edge Chromium
|
| CVE-2026-42833 | May 12, 2026 |
May 2026: Microsoft Dynamics 365 On-Premises Remote Code Execution VulnerabilityExecution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. |
Dynamics 365
|
| CVE-2026-42832 | May 12, 2026 |
May 2026: Microsoft Office Spoofing VulnerabilityImproper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally. |
Word
Excel
Office Macos 2021
And others... |
| CVE-2026-42830 | May 12, 2026 |
May 2026: Azure Monitor Agent Metrics Extension Elevation of Privilege VulnerabilityUntrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. |
Azure Monitor Agent Metrics Extension
|
| CVE-2026-42823 | May 12, 2026 |
May 2026: Azure Logic Apps Elevation of Privilege VulnerabilityImproper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. |
Azure Logic Apps
|