Skip to main content
CVE-2026-45393 HIGH PATCH This Week

Local privilege-bound input validation flaw in Cribl Edge versions prior to 4.17.1 allows an authenticated low-privileged local user to achieve high impact on confidentiality, integrity, and availability of the affected node. The issue is tracked as CWE-20 (Improper Input Validation) and was reported by Cribl itself with a vendor patch already available; no public exploit identified at time of analysis and EPSS is very low at 0.02%.

Information Disclosure Cribl Edge
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-45391 HIGH PATCH This Week

Local privilege-context input validation flaw in Cribl Edge versions prior to 4.17.1 allows an authenticated local user with low privileges to compromise confidentiality, integrity, and availability of the Edge node. Tagged as an information disclosure issue by the vendor, the vulnerability scores CVSS 4.0 8.5 (high) but carries a very low EPSS of 0.02%, and no public exploit identified at time of analysis. A vendor patch is available and the issue is tracked as EUVD-2026-29355.

Information Disclosure Cribl Edge
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-43989 HIGH This Week

Arbitrary file read in JunoClaw's MCP upload_wasm tool allows local attackers to exfiltrate any file accessible to the agent process by providing crafted filesystem paths. The vulnerability affects all JunoClaw versions prior to 0.x.y-security-1 when an AI agent is induced to accept a malicious path parameter, enabling read access to sensitive files including configuration secrets, private keys, or source code. No active exploitation confirmed via CISA KEV, but the CVSS 8.5 HIGH score reflects significant confidentiality and integrity impact with changed scope. Fixed version 0.x.y-security-1 introduces comprehensive path validation including directory containment checks, symlink resolution guards, file size limits, and WebAssembly magic number verification.

Information Disclosure Junoclaw
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-20714 HIGH This Week

Out-of-bounds write for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Microsoft Buffer Overflow Memory Corruption Privilege Escalation Intel
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-20738 HIGH This Week

Untrusted pointer dereference for some Intel(R) QuickAssist Adapter 8960 software before version 1.13 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Privilege Escalation Intel
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-42893 HIGH PATCH Exploit Unlikely This Week

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network.

Command Injection Microsoft Outlook For Ios
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-43991 HIGH This Week

Command injection in JunoClaw's plugin-shell allowed adversarial argument construction to bypass the substring-based blocklist and achieve unauthorized command execution on the host when the unsafe-shell feature was enabled. Attackers could craft commands with special tokens or argument patterns to evade blocklist checks that scanned raw command strings instead of parsed first tokens. The vulnerability required local access but no authentication or user interaction (CVSS AV:L/AC:L/PR:N/UI:N) with high impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis. Fixed in version 0.x.y-security-1 by replacing the blocklist with a strict allowlist on parsed command tokens and removing shell wrapper metacharacter expansion.

Command Injection Junoclaw
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-43990 HIGH This Week

Command injection in JunoClaw agentic AI platform versions prior to 0.x.y-security-1 allows local attackers to execute arbitrary shell commands with high integrity and confidentiality impact. The plugin-shell component wrapped agent-supplied commands in 'sh -c' or 'cmd /C' without sanitizing shell metacharacters, enabling malicious AI agents or compromised agent inputs to break out of intended command boundaries. CISA KEV status: not listed. Public exploit code: GitHub commit 2bc54f6 demonstrates the vulnerable code path and fix implementation. EPSS data: not available. The vendor-released patch (0.x.y-security-1) removes the shell wrapper entirely and implements a strict allowlist plus compile-time feature gate.

Command Injection Junoclaw
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-45392 HIGH PATCH This Week

Information disclosure in Cribl Stream versions prior to 4.17.1 allows authenticated remote attackers with low privileges to obtain sensitive data when a user interacts with attacker-supplied content, per CVSS 4.0 vector AV:N/AC:L/PR:L/UI:A. The flaw, classified as CWE-20 (Improper Input Validation), carries a CVSS base score of 8.4 reflecting high confidentiality and integrity impact, but EPSS is only 0.02% (5th percentile) and CISA SSVC reports no observed exploitation. No public exploit identified at time of analysis.

Information Disclosure Cribl Stream
NVD VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-65088 HIGH This Week

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code when a specially crafted VC6 file is being parsed.

Information Disclosure RCE Buffer Overflow Cobalt Xenon +3
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-65087 HIGH This Week

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code when a specially crafted VC6 file is being parsed.

Information Disclosure RCE Buffer Overflow Cobalt Xenon +3
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-65086 HIGH This Week

An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to execute arbitrary code when a specially crafted VC6 file is being parsed.

Memory Corruption Buffer Overflow RCE Cobalt Xenon +3
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-35438 HIGH PATCH Exploit Unlikely This Week

Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-20879 HIGH This Week

Out-of-bounds write for the Intel(R) Data Center Graphics Driver for VMware ESXi software before version 2.0.2 within Ring 1: Device Drivers may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable data corruption. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (high) and availability (high) impacts.

Denial Of Service Buffer Overflow VMware Memory Corruption Intel
NVD
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-20751 HIGH This Week

Out-of-bounds read for the Intel(R) Data Center Graphics Driver for VMware ESXi software before version 2.0.2 within Ring 1: Device Drivers may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (none) and availability (high) impacts.

Denial Of Service Buffer Overflow VMware Intel Information Disclosure
NVD
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-35227 HIGH PATCH This Week

TCP connection exhaustion in CODESYS Modbus TCP Server allows remote unauthenticated attackers to trigger a race condition in connection handling, depleting all available TCP connections and denying service to legitimate industrial automation clients. CVSS 8.2 (High) reflects high availability impact. No active exploitation confirmed (not in CISA KEV), but attack complexity is low with present race condition opportunity (AT:P). Patch available from vendor for versions prior to 4.6.0.0.

Information Disclosure Codesys Modbus
NVD
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-42268 HIGH PATCH This Week

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in 3.0.15.

Integer Overflow Apache Information Disclosure Nginx Red Hat +1
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-43993 HIGH This Week

Server-Side Request Forgery in JunoClaw's WAVS bridge allows remote attackers to exploit the computeDataVerify function, which fetched agent-supplied URLs without validating scheme, port, or resolved IP addresses. Attackers can trick the bridge into accessing internal cloud metadata services (AWS, GCP), RFC 1918 private networks, databases, and admin APIs running on non-standard ports. Exploitation requires user interaction (UI:R) but no authentication (PR:N), with cross-scope impact (S:C) allowing high confidentiality breach and low availability impact. Fixed in version 0.x.y-security-1 via commit a168608, which implements a comprehensive SSRF guard with scheme/port allowlists, DNS private-IP blocking for both IPv4 and IPv6 ranges, request timeouts, and body size caps. No CISA KEV listing or public exploit code identified at time of analysis.

SSRF Junoclaw
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-41713 HIGH PATCH GHSA This Week

Conversation memory poisoning in VMware Spring AI allows remote unauthenticated attackers to inject malicious input that persists across conversation turns and manipulates AI model behavior. The vulnerability achieves high integrity impact (CVSS 8.2) through stored prompt injection, enabling attackers to alter model responses, extract sensitive context, or bypass application logic without authentication. No active exploitation confirmed at time of analysis, but the network-accessible attack surface and low complexity make this a priority for applications processing user-generated conversational input.

Information Disclosure Ssti
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-39432 HIGH This Week

Missing authorization in Timetics WordPress plugin through version 1.0.53 allows unauthenticated remote attackers to bypass access controls and access sensitive administrative functions or data. With CVSS 8.2 (High), the vulnerability enables high confidentiality impact and low integrity impact against network-accessible instances. Patchstack reported this broken access control flaw, indicating potential exposure of booking systems, customer data, or administrative operations to unauthorized access without authentication.

Authentication Bypass Timetics
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-34259 HIGH This Week

OS command injection in SAP Forecasting & Replenishment allows authenticated administrators to execute arbitrary system commands through abuse of a non-remote-enabled function, leading to complete system compromise. The vulnerability enables full read/write access to system data and potential system shutdown, though exploitation is constrained to local attack vectors and requires high-privilege administrative access (CVSS 8.2). No public exploit code or active exploitation confirmed at time of analysis, with vendor patch available via SAP Security Patch Day.

Command Injection SAP
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-45089 HIGH PATCH GHSA This Week

Arbitrary file creation and corruption in dalfox v2 REST API server mode allows unauthenticated remote attackers to write log-formatted data to any filesystem path accessible to the dalfox process. The server exposes output, output-all, and debug JSON fields from the API request directly to the logger's file-write path without validation, and the default configuration omits API key authentication entirely. The vulnerability is fixed in dalfox v2.13.0, released 2025-01-20, which strips all filesystem-dangerous fields from API-sourced requests before passing them to the scan engine. GitHub advisory GHSA-8hf9-3q64-q2qf confirms the issue; no public exploit code is identified at time of analysis, and CISA KEV does not list this CVE.

Authentication Bypass File Upload
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-35071 HIGH PATCH This Week

OS command injection in Dell PowerScale InsightIQ 6.0.0 through 6.2.0 allows high-privileged local administrators to execute arbitrary system commands with elevated privileges, achieving container escape (scope change) on the storage cluster management platform. Dell published security advisory DSA-2026-208 addressing this vulnerability. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation at time of analysis.

Dell Command Injection
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-40415 HIGH PATCH This Week

Use after free in Windows TCP/IP allows an unauthorized attacker to execute code over a network.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-41102 HIGH PATCH This Week

Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-44260 HIGH PATCH This Week

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010.

Authentication Bypass Efw4 X
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-44548 HIGH This Week

ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including cascaded property and record-to-property assignments. This vulnerability is fixed in 7.3.2.

PHP CSRF
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-44291 HIGH PATCH GHSA This Week

Prototype pollution in protobuf.js type lookup tables enables remote code execution via code injection into generated encode/decode functions. Affects npm package protobuf.js versions ≤7.5.5 and 8.0.0-8.0.1. Exploitation requires chaining with a separate prototype pollution vulnerability-applications must first allow Object.prototype pollution, then invoke protobufjs code generation on attacker-influenced schemas. Vendor-released patches available (v7.5.6, v8.0.2). CVSS 8.1 (High) reflects network vector but high attack complexity (AC:H) due to multi-step prerequisite. No evidence of active exploitation (not in CISA KEV), public exploit code not identified at time of analysis.

Code Injection RCE
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-34332 HIGH PATCH This Week

Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-35416 HIGH PATCH Exploit Likely This Week

Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows low-privileged authenticated users to execute arbitrary code with SYSTEM privileges via use-after-free memory corruption. Microsoft has released patches addressing Windows 10 (versions 1607 through 22H2), Windows 11 (versions 22H3 through 26H1), and Windows Server 2012. CVSS base score is 7.0 (High) with local attack vector and high attack complexity. EPSS data not available; no CISA KEV listing at time of analysis, suggesting exploitation has not been observed in the wild despite public disclosure.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-34340 HIGH PATCH Exploit Unlikely This Week

Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-34345 HIGH PATCH Exploit Unlikely This Week

Race condition in Windows Ancillary Function Driver for WinSock (AFD.sys) enables local privilege escalation for low-privileged authenticated users across Windows 10 (1607-22H2), Windows 11 (22H3-26H1), and Windows Server 2016. Microsoft confirmed the vulnerability and released patches via their March 2026 security updates. The flaw requires high attack complexity (CVSS AC:H), suggesting exploitation depends on winning a narrow timing window in concurrent socket operations. EPSS data unavailable, no CISA KEV listing at time of analysis, but Microsoft's rapid patch indicates credible exploit risk.

Microsoft Race Condition Information Disclosure
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2023-27753 HIGH This Week

An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload RCE
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-44184 HIGH PATCH This Week

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials(). When DisableAuthForLocalAddresses is enabled, the API also authenticates requests purely by source IP via TrustedNetworkAuthenticationHandler. The combination lets any website that an admin (or any user on a trusted IP) visits read authenticated API responses cross-origin - including the admin's permanent API key. This vulnerability is fixed in 2.9.10.

Information Disclosure
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-35417 HIGH PATCH Exploit Likely This Week

Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.

Microsoft Information Disclosure Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-31221 HIGH GHSA This Week

Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.

Checkpoint Python RCE Deserialization
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-40397 HIGH PATCH Exploit Likely This Week

Integer underflow (wrap or wraparound) in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Integer Overflow Microsoft Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-42896 HIGH PATCH Exploit Unlikely This Week

Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

Integer Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-40399 HIGH PATCH Exploit Unlikely This Week

Stack-based buffer overflow in Windows TCP/IP allows an authorized attacker to elevate privileges locally.

Stack Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-35415 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Storage Spaces Controller enables authenticated users with low-level access to gain SYSTEM-level privileges by exploiting an integer overflow that leads to memory corruption. Affects Windows 10 (1607 through 22H2), Windows 11 (all versions through 26H1), and Windows Server 2012 R2. Microsoft has released security updates through their March 2026 Patch Tuesday. No active exploitation confirmed in CISA KEV at time of analysis, though the combination of low attack complexity (AC:L) and no user interaction requirement (UI:N) makes post-compromise exploitation straightforward for attackers who have already obtained initial access.

Integer Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-34333 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Windows Win32K graphics subsystem affects Windows 10 (1607 through 22H2), Windows 11 (all versions including 26H1 preview), and Windows Server 2012 through authenticated low-privileged local users exploiting a use-after-free memory corruption flaw. Microsoft has released security updates addressing this CWE-416 vulnerability with CVSS 7.8 severity. The local attack vector and low complexity (AC:L) indicate straightforward exploitation once local access is achieved, though no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-34330 HIGH PATCH This Week

Local privilege escalation in Windows Win32K graphics subsystem allows authenticated users to gain SYSTEM-level access via integer overflow exploitation. Affects all supported Windows 10, Windows 11, and Windows Server 2012 versions. Microsoft has released patches through their March 2026 security update (MSRC guide confirms vendor-released fix). CVSS 7.8 reflects high impact across confidentiality, integrity, and availability. No public exploit code identified at time of analysis, and not listed in CISA KEV, indicating limited or no active exploitation despite the severity of potential impact.

Integer Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-33837 HIGH PATCH Exploit Likely This Week

Heap-based buffer overflow in Windows TCP/IP allows an authorized attacker to elevate privileges locally.

Heap Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-33835 HIGH PATCH Exploit Likely This Week

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-33840 HIGH PATCH Exploit Likely This Week

Privilege escalation in Windows Win32K ICOMP component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 via a use-after-free memory corruption flaw. Low-privileged authenticated local attackers can exploit this to gain SYSTEM-level privileges with low attack complexity and no user interaction required. Microsoft has released patches addressing this vulnerability, tracked under MSRC guidance. No active exploitation or public exploit code has been identified at time of analysis, with EPSS data not yet available for this recent CVE.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-35421 HIGH PATCH NEWS This Week

Heap-based buffer overflow in Windows GDI allows an unauthorized attacker to execute code locally.

Heap Overflow Microsoft Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-33838 HIGH PATCH Exploit Unlikely This Week

Double free in Windows Message Queuing allows an authorized attacker to elevate privileges locally.

Microsoft Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40418 HIGH PATCH This Week

Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-40382 HIGH PATCH Exploit Unlikely This Week

Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34338 HIGH PATCH Exploit Unlikely This Week

Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.

Denial Of Service Microsoft Use After Free Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
Prev Page 3 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy