Skip to main content
CVE-2026-25605 MEDIUM CISA This Month

Unvalidated file path handling in SICAM SIAPP SDK versions below 2.1.7 permits local attackers to delete arbitrary files and sockets accessible to the application process, causing denial of service or service disruption. The vulnerability requires local access and specific conditions to exploit but carries no patching option currently. Organizations using affected SDK versions should implement access controls and monitor for unexpected file deletion activity until an update becomes available.

Denial Of Service Sicam Siapp Sdk
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-21333 HIGH This Week

Arbitrary code execution in Adobe Illustrator versions 29.8.4 and 30.1 and earlier via an untrusted search path vulnerability allows local attackers to execute malicious code with user privileges. The vulnerability requires a victim to open a specially crafted file, making it exploitable through social engineering or malicious file distribution. No patch is currently available.

Adobe Illustrator
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-26110 HIGH PATCH This Week

Local code execution in Microsoft Office and 365 Apps stems from a type confusion vulnerability in memory handling that allows unauthenticated attackers to execute arbitrary code with system privileges. The vulnerability affects Office Long Term Servicing Channel deployments and requires only local access with no user interaction to trigger. No patch is currently available, making this a critical risk for organizations running affected Office versions.

Microsoft Authentication Bypass Memory Corruption
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-26113 HIGH PATCH This Week

Unsafe pointer dereference in Microsoft Office, SharePoint Server, and 365 Apps enables local code execution with high privileges on affected systems. An attacker with local access can exploit this memory safety flaw to achieve complete system compromise including data theft and modification. No patch is currently available, leaving users vulnerable until Microsoft releases a security update.

Microsoft Authentication Bypass Sharepoint Server Office Office Long Term Servicing Channel +1
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-26109 HIGH PATCH This Week

Arbitrary code execution in Microsoft Office Excel and related products (Office Online Server, 365 Apps) via out-of-bounds memory read allows local attackers to achieve complete system compromise without requiring user interaction or elevated privileges. This high-severity vulnerability affects multiple Microsoft Office components and currently lacks a security patch. An attacker with local access can exploit memory corruption to execute malicious code with full system permissions.

Microsoft Information Disclosure Buffer Overflow Office Online Server 365 Apps +3
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0122 HIGH This Week

Unauthenticated local attackers can achieve remote code execution on Android devices through out-of-bounds memory writes that corrupt process memory. This vulnerability requires no user interaction or elevated privileges to exploit and has a CVSS score of 8.4. No patch is currently available.

RCE Memory Corruption Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-70802 HIGH This Week

Tenda G1V3.1si V16.01.7.8 Firmware V16.01.7.8 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root. [CVSS 8.4 HIGH]

Authentication Bypass Tenda
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-70798 HIGH This Week

Tenda i24V3.0si V3.0.0.5 Firmware V3.0.0.5 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root. [CVSS 8.4 HIGH]

Authentication Bypass Tenda
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-36920 HIGH This Week

In hyp_alloc of arch/arm64/kvm/hyp/nvhe/alloc.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0118 HIGH This Week

Oobconfig on Android contains a logic error that allows local attackers to circumvent carrier restrictions and escalate privileges without requiring additional execution capabilities or user interaction. This vulnerability enables unauthorized privilege elevation on affected devices through a straightforward exploitation path. No patch is currently available to remediate this issue.

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0123 HIGH This Week

Uncontrolled buffer writes in Android's EfwApTransport component allow local attackers to achieve privilege escalation without requiring user interaction or special permissions. The vulnerability stems from insufficient bounds checking in the ProcessRxRing function, enabling an attacker with local access to corrupt kernel memory and gain elevated privileges.

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0117 HIGH This Week

Local privilege escalation in Android's Media Framework Codec (MFC) decoder results from an out-of-bounds write vulnerability in the mfc_dec_dqbuf function due to inadequate bounds validation. An attacker with local access can exploit this defect without special privileges or user interaction to gain elevated system permissions. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0107 HIGH This Week

Android versions up to - contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-31824 HIGH PATCH This Week

Sylius eCommerce Framework is vulnerable to a race condition in promotion and coupon usage limit enforcement, where concurrent requests can bypass redemption restrictions by exploiting a gap between eligibility validation and usage increment operations. An unauthenticated attacker can exploit this TOCTOU vulnerability to redeem promotions or coupons beyond their configured usage limits, potentially causing financial loss through unintended discounts. No patch is currently available.

Race Condition Sylius
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-26148 HIGH PATCH This Week

Local privilege escalation in Azure Entra ID SSH Login Extension for Linux stems from improper initialization of trusted variables, enabling unauthenticated attackers on affected systems to gain elevated privileges. This high-severity vulnerability (CVSS 8.1) requires local access but can compromise system confidentiality, integrity, and availability across trust boundaries. No patch is currently available.

Authentication Bypass Microsoft Azure Ad Ssh Login Extension For Linux
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-24017 HIGH This Week

Fortinet FortiWeb versions 7.0 through 8.0.2 contain an improper rate-limiting flaw that allows unauthenticated remote attackers to bypass authentication attempt restrictions through crafted requests. This vulnerability enables attackers to conduct brute-force password attacks against FortiWeb instances with reduced constraints, with success dependent on attacker resources and target password complexity. No patch is currently available for affected versions.

Fortinet Fortiweb
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-26105 HIGH PATCH This Week

Microsoft SharePoint Server contains a reflected cross-site scripting vulnerability that allows remote attackers to execute arbitrary scripts in users' browsers through malicious links, enabling spoofing attacks and credential theft. The vulnerability requires user interaction to trigger and affects all SharePoint deployments with no available patch. With a CVSS score of 8.1, this poses a significant risk to organizations relying on SharePoint for collaboration.

Microsoft XSS Sharepoint Server
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-28693 HIGH PATCH This Week

High severity vulnerability in ImageMagick. An integer overflow in DIB coder can result in out of bounds read or write

Imagemagick Information Disclosure Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-54820 HIGH This Week

A Stack-based Buffer Overflow vulnerability [CWE-121] vulnerability in Fortinet FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.10, FortiManager 6.4 all versions may allow a remote unauthenticated attacker to execute unauthorized commands via crafted requests, if the service is enabled. [CVSS 8.1 HIGH]

Fortinet Buffer Overflow Stack Overflow Fortimanager
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-25166 HIGH PATCH This Week

Local code execution in Windows System Image Manager (Windows 11 23h2, Windows Server 2019/2022) through unsafe deserialization of untrusted data. An authenticated local attacker can exploit this vulnerability to execute arbitrary code with elevated privileges. No patch is currently available.

Deserialization Microsoft Windows 11 23h2 Windows Server 2019 Windows Server 2022 23h2 +10
NVD VulDB
CVSS 3.1
7.8
EPSS
0.6%
CVE-2025-2399 MEDIUM CISA This Month

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Mitsubishi Electric CNC M800V Series M800VW and M800VS, M80V Series M80V and M80VW, M800 Series M800W and M800S, M80 Series M80 and M80W, E80 Series E80, C80 Series C80, M700V Series M750VW, M720VW, 730VW, M720VS, M730VS, and M750VS, M70V Series M70V, E70 Series E70, and Software Tools NC Trainer2 and NC Trainer2 plus allows a remote attacker to cause an out-of-bounds read, resulting in a denial-of-service condition by sending specially crafted packets to TCP port 683. [CVSS 5.9 MEDIUM]

Buffer Overflow
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-25187 HIGH PATCH This Week

Windows Winlogon's failure to properly validate symbolic links before file access enables local privilege escalation on affected Windows Server and Windows 10/11 systems. An authenticated attacker can exploit this vulnerability to gain elevated system privileges without user interaction. No patch is currently available for this high-severity issue affecting multiple Windows versions including Server 2025 and Windows 11 26h1.

Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24287 HIGH PATCH This Week

Windows Kernel path traversal vulnerability in Server 2025, Server 2022, Windows 11 24h2, and Windows 10 22h2 enables authenticated local attackers to achieve full system compromise through privilege escalation. The flaw allows an authorized user to manipulate file name or path parameters, bypassing access controls and gaining kernel-level privileges. No patch is currently available.

Information Disclosure Microsoft Windows Server 2025 Windows 11 24h2 Windows Server 2022 23h2 +9
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24289 HIGH PATCH This Week

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]

Use After Free Microsoft Denial Of Service Memory Corruption Windows 10 22h2 +13
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-26134 HIGH PATCH This Week

Microsoft Office is vulnerable to an integer overflow that allows authenticated local users to escalate their privileges and gain full system control. An attacker with valid credentials can exploit this numeric calculation flaw to execute arbitrary code with elevated permissions. No patch is currently available for this vulnerability.

Microsoft Integer Overflow Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-23673 HIGH PATCH This Week

Windows ReFS contains an out-of-bounds read vulnerability affecting Server 2019, 2022, 2025, and Windows 11 26h1 that enables authenticated local users to escalate privileges with high impact to confidentiality, integrity, and availability. The vulnerability requires low attack complexity and no user interaction, making it exploitable by any authenticated user on the system. No patch is currently available for this HIGH severity issue.

Information Disclosure Microsoft Buffer Overflow Windows Server 2019 Windows Server 2025 +13
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-26132 HIGH PATCH This Week

Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]

Use After Free Microsoft Memory Corruption Denial Of Service Windows
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-26112 HIGH PATCH This Week

Microsoft Excel and Office products are vulnerable to local code execution through unsafe pointer dereferencing, requiring user interaction to trigger. An attacker with local access can exploit this flaw to achieve arbitrary code execution with full system privileges. No patch is currently available, leaving users of affected Office versions at risk.

Microsoft Authentication Bypass Office Online Server Excel Office +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-26108 HIGH PATCH This Week

Heap buffer overflow in Microsoft Office Excel enables local code execution with high integrity and confidentiality impact affecting Office, Office Online Server, and 365 Apps. An attacker with user interaction can achieve arbitrary code execution in the context of the affected application. No patch is currently available for this vulnerability.

Microsoft Buffer Overflow Heap Overflow Office Office Online Server +3
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-26107 HIGH PATCH This Week

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. [CVSS 7.8 HIGH]

Microsoft Use After Free Denial Of Service Memory Corruption Office Long Term Servicing Channel +4
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24291 HIGH PATCH This Week

Privilege escalation in Windows Accessibility Infrastructure (ATBroker.exe) across Windows 10, Windows 11, and Windows Server 2022 stems from improper permission assignments on a critical resource. A local authenticated attacker can exploit this misconfiguration to gain elevated privileges without user interaction. No patch is currently available for this vulnerability.

Information Disclosure Microsoft Windows Server 2022 Windows 11 25h2 Windows 11 23h2 +12
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24294 HIGH PATCH This Week

Windows SMB Server authentication bypass across multiple versions (Windows 10 1607, Windows 11 23h2, Windows Server 2012/2025) permits authenticated local users to escalate privileges with high impact to confidentiality, integrity, and availability. The vulnerability stems from improper authentication validation in the SMB service, allowing a local attacker to gain system-level access without user interaction. No patch is currently available, leaving affected systems vulnerable to privilege escalation attacks from any authenticated user.

Microsoft Authentication Bypass Windows 10 1607 Windows 10 1809 Windows 10 21h2 +11
NVD VulDB GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-26738 HIGH This Week

Arbitrary code execution in Uderzo Software SpaceSniffer v.2.0.5.18 results from a buffer overflow vulnerability triggered by processing malicious .sns snapshot files. An attacker with local access can craft a specially formatted file to achieve code execution with high privileges. No patch is currently available for this vulnerability.

Buffer Overflow RCE Stack Overflow Spacesniffer
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-25190 HIGH PATCH This Week

Untrusted search path in Windows GDI allows an unauthorized attacker to execute code locally. [CVSS 7.8 HIGH]

Authentication Bypass Microsoft Windows Server 2022 23h2 Windows Server 2022 Windows 11 26h1 +12
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-25175 HIGH PATCH This Week

Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]

Information Disclosure Buffer Overflow Microsoft Windows Server 2019 Windows 10 1607 +9
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-25174 HIGH PATCH This Week

Windows Extensible File Allocation (exFAT) contains an out-of-bounds read vulnerability affecting Windows Server 2022, Windows 10 1607, and Windows 11 versions 23h2/25h2, enabling authenticated local users to escalate privileges with high impact on confidentiality, integrity, and availability. The vulnerability requires local access and user-level privileges to exploit, with no patch currently available. This flaw carries a CVSS score of 7.8 and affects multiple supported Windows versions across server and client platforms.

Information Disclosure Buffer Overflow Microsoft Windows Server 2022 Windows 10 1607 +13
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-25165 HIGH PATCH This Week

Privilege escalation in Windows Performance Counters via null pointer dereference affects Windows Server 2019 and Windows 11 systems, enabling authenticated local attackers to gain elevated privileges. The vulnerability impacts systems where users have standard account access, allowing them to escalate to higher privilege levels on affected machines. No patch is currently available.

Null Pointer Dereference Microsoft Denial Of Service Windows Server 2019 Windows 11 26h1 +13
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24293 HIGH PATCH This Week

Privilege escalation in Windows Ancillary Function Driver for WinSock affects Windows 11 24H2, Windows Server 2022, and Windows Server 2025, allowing authenticated local attackers to gain system-level access through null pointer dereference. The vulnerability requires valid user credentials and local access but no user interaction to exploit. No patch is currently available.

Null Pointer Dereference Microsoft Denial Of Service Windows Server 2022 Windows 11 24h2 +7
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24292 HIGH PATCH This Week

Privilege escalation in Windows Connected Devices Platform Service (Cdpsvc) exploits a use-after-free memory vulnerability, affecting Windows 10 22h2 and Windows 11 (25h2, 26h1). An authenticated local attacker can leverage this flaw to gain system-level privileges on vulnerable systems. No patch is currently available for this high-severity vulnerability.

Use After Free Denial Of Service Memory Corruption Windows 10 22h2 Windows 11 25h2 +10
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23665 HIGH PATCH This Week

Privilege escalation in Azure Linux Virtual Machines results from a heap-based buffer overflow that authenticated local users can exploit to gain elevated system access. An attacker with valid credentials can trigger memory corruption to bypass privilege restrictions and assume administrative control of the affected virtual machine. No patch is currently available, making this a critical risk for organizations running Azure Linux infrastructure.

Buffer Overflow Heap Overflow Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-25189 HIGH PATCH This Week

Privilege escalation in Windows DWM Core Library affects Windows 10 versions 21H2 and 1809 through a use-after-free memory corruption vulnerability that allows authenticated local attackers to gain system-level privileges. The vulnerability requires local access and valid user credentials but no user interaction, creating a significant risk for multi-user systems. No patch is currently available.

Use After Free Microsoft Denial Of Service Memory Corruption Windows 10 21h2 +5
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23672 HIGH PATCH This Week

Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability [CVSS 7.8 HIGH]

Information Disclosure Buffer Overflow Microsoft Windows 11 25h2 Windows Server 2019 +13
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26131 HIGH PATCH This Week

Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]

Privilege Escalation Red Hat
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-25176 HIGH PATCH This Week

Windows Ancillary Function Driver for WinSock in Windows 10 (all versions) and Windows 11 contains an access control weakness that enables authenticated local attackers to escalate privileges to system level. An attacker with standard user credentials can exploit this flaw to gain elevated rights on affected systems. No patch is currently available for this vulnerability.

Authentication Bypass Microsoft Windows 10 22h2 Windows 10 1607 Windows Server 2019 +12
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23660 HIGH PATCH This Week

Windows Admin Center in Azure Portal contains an access control flaw that enables local authenticated users to escalate their privileges. An attacker with valid credentials can exploit this vulnerability to gain elevated permissions on the system. No patch is currently available for this issue.

Authentication Bypass Microsoft Windows Admin Center Windows
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26141 HIGH PATCH This Week

Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally. [CVSS 7.8 HIGH]

Authentication Bypass Microsoft Azure Automation Hybrid Worker Windows Extension
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26128 HIGH PATCH This Week

Windows SMB Server's authentication mechanism can be bypassed by local authenticated users to gain elevated privileges on affected systems. This high-severity vulnerability (CVSS 7.8) impacts confidentiality, integrity, and availability, though no patch is currently available. Organizations should implement compensating controls and monitor for exploitation attempts targeting this authentication weakness.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26117 HIGH PATCH This Week

Privilege escalation in Microsoft Azure Connected Machine Agent on Windows allows local authenticated users to bypass authentication mechanisms and gain elevated system privileges. An attacker with existing local access can exploit alternate authentication paths to escalate their permissions without user interaction. No patch is currently available for this vulnerability affecting Arc Enabled Servers.

Authentication Bypass Microsoft Arc Enabled Servers Azure Connected Machine Agent Windows
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24290 HIGH PATCH This Week

Windows Projected File System in Windows 11 and Server 2022 contains improper access control that enables authenticated local users to escalate privileges to system level. An attacker with valid credentials can exploit this vulnerability to gain elevated permissions without user interaction. Currently, no patch is available to address this issue.

Microsoft Authentication Bypass Windows 11 24h2 Windows Server 2022 23h2 Windows 11 26h1 +9
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27278 HIGH This Week

Arbitrary code execution in Adobe Acrobat and Acrobat Reader versions 24.001.30307 and earlier stems from a use-after-free memory vulnerability triggered when users open specially crafted files. An attacker can achieve code execution with the privileges of the current user, though exploitation requires victim interaction. No patch is currently available for affected versions.

Adobe Use After Free Acrobat Reader Dc Acrobat Acrobat Dc
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
Prev Page 3 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy