Microsoft Outlook
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Microsoft Outlook.
Recent Microsoft Outlook Security Advisories
| Advisory | Title | Published |
|---|---|---|
| CVE-2026-21511 | CVE-2026-21511 Microsoft Outlook Spoofing Vulnerability | February 10, 2026 |
| CVE-2026-21260 | CVE-2026-21260 Microsoft Outlook Spoofing Vulnerability | February 10, 2026 |
| CVE-2025-62562 | CVE-2025-62562 Microsoft Outlook Remote Code Execution Vulnerability | December 9, 2025 |
| CVE-2025-47176 | CVE-2025-47176 Microsoft Outlook Remote Code Execution Vulnerability | June 10, 2025 |
| CVE-2025-47171 | CVE-2025-47171 Microsoft Outlook Remote Code Execution Vulnerability | June 10, 2025 |
| CVE-2025-32705 | CVE-2025-32705 Microsoft Outlook Remote Code Execution Vulnerability | May 13, 2025 |
| CVE-2025-29805 | CVE-2025-29805 Outlook for Android Information Disclosure Vulnerability | April 8, 2025 |
| CVE-2025-21259 | CVE-2025-21259 Microsoft Outlook Spoofing Vulnerability | February 11, 2025 |
| CVE-2025-21361 | CVE-2025-21361 Microsoft Outlook Remote Code Execution Vulnerability | January 14, 2025 |
| CVE-2025-21357 | CVE-2025-21357 Microsoft Outlook Remote Code Execution Vulnerability | January 14, 2025 |
Known Exploited Microsoft Outlook Vulnerabilities
The following Microsoft Outlook vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Microsoft Outlook Security Feature Bypass Vulnerability |
Microsoft Outlook contains a security feature bypass vulnerability that allows an attacker to bypass the Microsoft Outlook Security Notice prompt. CVE-2023-35311 Exploit Probability: 0.5% |
July 11, 2023 |
By the Year
In 2026 there have been 0 vulnerabilities in Microsoft Outlook. Last year, in 2025 Outlook had 8 security vulnerabilities published. Right now, Outlook is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 8 | 7.08 |
| 2024 | 13 | 7.47 |
| 2023 | 15 | 7.11 |
| 2022 | 2 | 6.40 |
| 2021 | 3 | 7.40 |
| 2020 | 9 | 6.54 |
| 2019 | 7 | 6.00 |
| 2018 | 10 | 8.30 |
It may take a day or so for new Outlook vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Microsoft Outlook Security Vulnerabilities
Jul 2025: Microsoft Office Remote Code Execution Vulnerability
CVE-2025-49699
7 - High
- July 08, 2025
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Dangling pointer
Jun 2025: Microsoft Outlook Remote Code Execution Vulnerability
CVE-2025-47171
6.7 - Medium
- June 10, 2025
Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally.
Improper Input Validation
Jun 2025: Microsoft Outlook Remote Code Execution Vulnerability
CVE-2025-47176
7.8 - High
- June 10, 2025
'.../...//' in Microsoft Office Outlook allows an authorized attacker to execute code locally.
Path Traversal: '.../...//'
May 2025: Microsoft Outlook Remote Code Execution Vulnerability
CVE-2025-32705
7.8 - High
- May 13, 2025
Out-of-bounds read in Microsoft Office Outlook allows an unauthorized attacker to execute code locally.
Out-of-bounds Read
Apr 2025: Outlook for Android Information Disclosure Vulnerability
CVE-2025-29805
7.5 - High
- April 08, 2025
Exposure of sensitive information to an unauthorized actor in Outlook for Android allows an unauthorized attacker to disclose information over a network.
Information Disclosure
Feb 2025: Microsoft Outlook Spoofing Vulnerability
CVE-2025-21259
5.3 - Medium
- February 11, 2025
Microsoft Outlook Spoofing Vulnerability
User Interface (UI) Misrepresentation of Critical Information
Jan 2025: Microsoft Outlook Remote Code Execution Vulnerability
CVE-2025-21361
7.8 - High
- January 14, 2025
Microsoft Outlook Remote Code Execution Vulnerability
Improper Restriction of Names for Files and Other Resources
Jan 2025: Microsoft Outlook Remote Code Execution Vulnerability
CVE-2025-21357
6.7 - Medium
- January 14, 2025
Microsoft Outlook Remote Code Execution Vulnerability
Use of Uninitialized Resource
Microsoft Outlook Library Injection Vulnerability on macOS
CVE-2024-42220
7.1 - High
- December 18, 2024
A library injection vulnerability exists in Microsoft Outlook 16.83.3 for macOS. A specially crafted library can leverage Outlook's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application's permissions.
Improper Verification of Cryptographic Signature
Microsoft Outlook Android EOP Vulnerability CVE-2024-43604
CVE-2024-43604
8 - High
- October 08, 2024
Outlook for Android Elevation of Privilege Vulnerability
Insufficient Granularity of Access Control
Microsoft Outlook iOS Info Disclosure Vulnerability
CVE-2024-43482
6.5 - Medium
- September 10, 2024
Microsoft Outlook for iOS Information Disclosure Vulnerability
AuthZ
Microsoft Outlook RCE Vulnerability
CVE-2024-38173
6.7 - Medium
- August 13, 2024
Microsoft Outlook Remote Code Execution Vulnerability
Jul 2024: Microsoft Outlook Spoofing Vulnerability
CVE-2024-38020
6.5 - Medium
- July 09, 2024
Microsoft Outlook Spoofing Vulnerability
Information Disclosure
Jul 2024: Microsoft Outlook Remote Code Execution Vulnerability
CVE-2024-38021
8.8 - High
- July 09, 2024
Microsoft Outlook Remote Code Execution Vulnerability
Improper Input Validation
Jun 2024: Microsoft Outlook Remote Code Execution Vulnerability
CVE-2024-30103
8.8 - High
- June 11, 2024
Microsoft Outlook Remote Code Execution Vulnerability
Denylist / Deny List
Outlook CIDBased Email Script Injection via Show More
CVE-2024-23187
6.1 - Medium
- May 06, 2024
Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replacement has been hardened to omit invalid identifiers. No publicly available exploits are known.
XSS
Outlook for Windows Spoofing Vulnerability (CVE-2024-20670)
CVE-2024-20670
8.1 - High
- April 09, 2024
Outlook for Windows Spoofing Vulnerability
Outlook for Android Info Disclosure CVE-2024-26204
CVE-2024-26204
7.5 - High
- March 12, 2024
Outlook for Android Information Disclosure Vulnerability
Outlook EoP via Improper Access Control in Outlook Client
CVE-2024-21402
7.1 - High
- February 13, 2024
Microsoft Outlook Elevation of Privilege Vulnerability
Outlook RCE Vulnerability CVE-2024-21378
CVE-2024-21378
8.8 - High
- February 13, 2024
Microsoft Outlook Remote Code Execution Vulnerability
Microsoft Outlook XSS via CID reference in EMail (CVE202341704)
CVE-2023-41704
7.1 - High
- February 12, 2024
Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing has been improved and resulting content is checked for malicious content. No publicly available exploits are known.
XSS
Outlook Info Disclosure via Malformed URL (CVE-2023-35636)
CVE-2023-35636
6.5 - Medium
- December 12, 2023
Microsoft Outlook Information Disclosure Vulnerability
CVE-2023-35619: Outlook for Mac Spoofing Vulnerability
CVE-2023-35619
5.3 - Medium
- December 12, 2023
Microsoft Outlook for Mac Spoofing Vulnerability
Microsoft Outlook AutoDiscover timeout leaks leading to network exhaustion
CVE-2023-29046
4.3 - Medium
- November 02, 2023
Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged. Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time. As a result users were able to trigger large amount of egress network connections, possibly exhausting network pool resources and lock up legitimate requests. A new mechanism has been introduced to cancel external connections that might access user-controlled endpoints. No publicly available exploits are known.
Resource Exhaustion
Microsoft Outlook Local Info Disclosure via Missing Permission Check
CVE-2023-40644
5.5 - Medium
- October 08, 2023
In Messaging, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed
AuthZ
Sep 2023: Microsoft Outlook Information Disclosure Vulnerability
CVE-2023-36763
7.5 - High
- September 12, 2023
Microsoft Outlook Information Disclosure Vulnerability
Information Disclosure
Microsoft Outlook LPE from Missing Permission Check on Contact Import
CVE-2023-35665
7.8 - High
- September 11, 2023
In multiple files, there is a possible way to import a contact from another user due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AuthZ
Microsoft Outlook Remote RCE Vulnerability
CVE-2023-36895
7.8 - High
- August 08, 2023
Microsoft Outlook Remote Code Execution Vulnerability
Microsoft Outlook Spoofing Flaw Allowing Sender ID Manipulation
CVE-2023-36893
6.5 - Medium
- August 08, 2023
Microsoft Outlook Spoofing Vulnerability
Jul 2023: Microsoft Outlook Security Feature Bypass Vulnerability
CVE-2023-35311
7.5 - High
- July 11, 2023
Microsoft Outlook Security Feature Bypass Vulnerability
TOCTTOU
MS Outlook Remote Code Execution Vulnerability
CVE-2023-33153
8.8 - High
- July 11, 2023
Microsoft Outlook Remote Code Execution Vulnerability
Outlook Spoofing Exploit CVE-2023-33151
CVE-2023-33151
6.5 - Medium
- July 11, 2023
Microsoft Outlook Spoofing Vulnerability
Microsoft Outlook RCE Vulnerability (CVE-2023-33131)
CVE-2023-33131
8.8 - High
- June 14, 2023
Microsoft Outlook Remote Code Execution Vulnerability
MS Outlook DoS via Email Parsing Vulnerability
CVE-2022-35742
7.5 - High
- June 01, 2023
Microsoft Outlook Denial of Service Vulnerability
Mar 2023: Microsoft Outlook Elevation of Privilege Vulnerability
CVE-2023-23397
9.8 - Critical
- March 14, 2023
Microsoft Outlook Elevation of Privilege Vulnerability
Improper Input Validation
Authenticated DoS in Microsoft Outlook
CVE-2022-27507
6.5 - Medium
- January 26, 2023
Authenticated denial of service
Resource Exhaustion
Outlook for Android EoP Vulnerability (CVE-2022-24480)
CVE-2022-24480
6.3 - Medium
- December 13, 2022
Outlook for Android Elevation of Privilege Vulnerability
MS Outlook DoS via crafted To header in email
CVE-2022-39052
6.5 - Medium
- October 17, 2022
An external attacker is able to send a specially crafted email (with many recipients) and trigger a potential DoS of the system
Infinite Loop
Microsoft Office Graphics Remote Code Execution Vulnerability
CVE-2021-31941
7.8 - High
- June 08, 2021
Microsoft Office Graphics Remote Code Execution Vulnerability
Microsoft Outlook Remote Code Execution Vulnerability
CVE-2021-31949
7.3 - High
- June 08, 2021
Microsoft Outlook Remote Code Execution Vulnerability
Microsoft Outlook Memory Corruption Vulnerability
CVE-2021-28452
7.1 - High
- April 13, 2021
Microsoft Outlook Memory Corruption Vulnerability
Memory Corruption
Dec 2020: Microsoft Outlook Information Disclosure Vulnerability
CVE-2020-17119
6.5 - Medium
- December 10, 2020
Microsoft Outlook Information Disclosure Vulnerability
Oct 2020: Microsoft Outlook Remote Code Execution Vulnerability
CVE-2020-16947
7.5 - High
- October 16, 2020
<p>A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the targeted user. If the targeted user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p> <p>Note that where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector.</p> <p>The security update addresses the vulnerability by correcting how Outlook handles objects in memory.</p>
Oct 2020: Microsoft Outlook Denial of Service Vulnerability
CVE-2020-16949
4.7 - Medium
- October 16, 2020
<p>A denial of service vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could cause a remote denial of service against a system.</p> <p>Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Outlook server.</p> <p>The security update addresses the vulnerability by correcting how Microsoft Outlook handles objects in memory.</p>
A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory
CVE-2020-1483
5 - Medium
- August 17, 2020
A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. Note that where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector. The security update addresses the vulnerability by correcting how Outlook handles objects in memory.
Memory Corruption
An information disclosure vulnerability exists when attaching files to Outlook messages
CVE-2020-1493
5.5 - Medium
- August 17, 2020
An information disclosure vulnerability exists when attaching files to Outlook messages. This vulnerability could potentially allow users to share attached files such that they are accessible by anonymous users where they should be restricted to specific users. To exploit this vulnerability, an attacker would have to attach a file as a link to an email. The email could then be shared with individuals that should not have access to the files, ignoring the default organizational setting. The security update addresses the vulnerability by correcting how Outlook handles file attachment links.
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory
CVE-2020-1349
7.8 - High
- July 14, 2020
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka 'Microsoft Outlook Remote Code Execution Vulnerability'.
A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries
CVE-2020-0760
8.8 - High
- April 15, 2020
A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries, aka 'Microsoft Office Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0991.
Improper Input Validation
A security feature bypass vulnerability exists in Microsoft Outlook software when it improperly handles the parsing of URI formats
CVE-2020-0696
6.5 - Medium
- February 11, 2020
A security feature bypass vulnerability exists in Microsoft Outlook software when it improperly handles the parsing of URI formats, aka 'Microsoft Outlook Security Feature Bypass Vulnerability'.
Jan 2020:
CVE-2019-1460
- January 24, 2020
A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages, aka 'Outlook for Android Spoofing Vulnerability'.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Microsoft Outlook or by Microsoft? Click the Watch button to subscribe.
