Skip to main content
CVE-2025-15665 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Ultimate Before After Image Slider & Gallery WordPress plugin (all versions before 4.7.1) enables users with administrator-level access to plant persistent malicious scripts via the BEAF Slider widget's shortcode field, which then execute silently in the browsers of any site visitor loading a page displaying the widget. The plugin pipes the field value through WordPress's native do_shortcode() function without sanitizing or escaping the output, causing unrecognized content to be echoed verbatim to the rendered page. A publicly available proof-of-concept has been disclosed by WPScan; no active exploitation has been confirmed in the CISA Known Exploited Vulnerabilities catalog.

WordPress Information Disclosure Ultimate Before After Image Slider Gallery
NVD WPScan
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-48325 CRITICAL Act Now

Missing authentication in Adobe ColdFusion allows an unauthenticated attacker on an adjacent network to trigger arbitrary code execution in the context of the current user, without any user interaction. The flaw (CWE-306) bypasses authentication on a critical function and carries a scope change, meaning the impact reaches beyond the vulnerable component. There is no public exploit identified at time of analysis, but the issue was reported by Adobe PSIRT and addressed in advisory APSB26-82.

Authentication Bypass RCE Coldfusion
NVD VulDB
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-50343 HIGH PATCH Exploit Likely This Week

Local privilege escalation in the Microsoft Install Service (Windows Installer) affects supported Windows 10, Windows 11, and Windows Server 2019-2025 builds, letting an already-authenticated local user with limited rights (PR:L) elevate to SYSTEM. The flaw stems from improper privilege management (CWE-269) in how the service handles operations, yielding full confidentiality, integrity, and availability impact. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Microsoft Privilege Escalation Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 +8
NVD
CVSS 3.1
7.8
EPSS
2.5%
CVE-2026-48334 CRITICAL Act Now

Illustrator is affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

RCE
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-58475 MEDIUM POC This Month

Stored cross-site scripting in Sustainable Irrigation Platform (SIP) through version 5.2.16 enables unauthenticated remote attackers to permanently inject arbitrary JavaScript by submitting crafted program names via HTTP requests, with the payload executing in every subsequent viewer's browser. Exploitation is significantly facilitated by the application's acceptance of submissions with no passphrase configured or using the default passphrase 'opendoor', removing any authentication barrier in common deployments. A publicly available proof-of-concept exploit from ZeroScience (ZSL-2026-5994) documents the attack path; this CVE is not currently listed in the CISA KEV catalog.

XSS Sip
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-50338 HIGH PATCH Exploit Unlikely This Week

Privilege elevation in Microsoft Azure Spring Apps allows an already-authenticated, low-privileged network attacker to gain higher privileges by abusing an improper authentication weakness (CWE-287) in the managed platform. Because the CVSS scope is marked as changed (S:C), a successful attack can reach resources beyond the attacker's originally authorized boundary, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has published an advisory and a patch is available server-side.

Java Authentication Bypass Microsoft Azure Spring Apps
NVD
CVSS 3.1
8.2
EPSS
0.5%
CVE-2026-50528 HIGH PATCH Exploit Unlikely This Week

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumvent an authorization control over the network due to incorrect authorization logic (CWE-863). Rated CVSS 8.2, the flaw carries a high integrity impact and requires no privileges or user interaction, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has released a patch, and the affected surface also includes Visual Studio 2022 (17.12, 17.14) and Visual Studio 2026 (18.7) tooling that bundle the runtime.

Authentication Bypass Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-15643 CRITICAL PATCH Act Now

Server-side request forgery in AWS awslabs.healthlake-mcp-server before 0.0.14 lets a remote authenticated user exfiltrate AWS temporary security credentials to an attacker-controlled endpoint by supplying a crafted next_token pagination parameter. Because the server never validates that paginated request URLs still point at the legitimate HealthLake FHIR datastore, subsequent authenticated calls (carrying SigV4/temporary credentials) can be redirected off-host. Rated CVSS 4.0 9.2 (critical); no public exploit identified at time of analysis and not listed in CISA KEV.

SSRF Awslabs Healthlake Mcp Server
NVD
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-15183 CRITICAL PATCH Act Now

SQL injection and input-validation weaknesses in the Snowflake Spark Connector (spark-snowflake) before version 3.2.1 let attackers exfiltrate OAuth client credentials, run arbitrary SQL under the connector's Snowflake role, and redirect COPY data-loading operations to attacker-controlled storage. Reported by Snowflake, the flaws are most dangerous in shared/multi-tenant Spark clusters where injected SQL executes with the cluster admin's JDBC credentials, enabling credential theft and privilege escalation. Rated CVSS 4.0 9.2 (Critical); no public exploit identified at time of analysis.

Authentication Bypass SQLi Privilege Escalation Snowflake Spark Connector
NVD VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2025-11698 CRITICAL Act Now

Denial-of-service in Rockwell Automation CompactLogix/GuardLogix 5380, CompactLogix 5480, and ControlLogix/GuardLogix 5580 controllers running boot firmware below version 1.072 lets a remote unauthenticated attacker write malformed file data that forces the device into a major non-recoverable fault (MNRF), halting the controlled process until manual recovery. The flaw carries a CVSS 4.0 base of 9.2 driven purely by availability impact (no data confidentiality or integrity loss) and requires no authentication or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow Compactlogix 5380 Recovery Image Compact Guardlogix 5380 Recovery Image Compactlogix 5480 Recovery Image Controllogix 5580 Recovery Image Guardlogix 5580 Recovery Image
NVD VulDB
CVSS 4.0
9.2
EPSS
0.3%
CVE-2025-12012 CRITICAL Act Now

Denial-of-service in Rockwell Automation Logix programmable controllers allows a remote unauthenticated attacker to write invalid file data that forces the device into a Major Non-Recoverable Fault (MNRF), halting the industrial process it controls. Rated CVSS 4.0 9.2 (Critical) with availability as the sole impact, the flaw is a CWE-120 buffer overflow reachable over the network with no privileges or user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the low attack complexity makes it a high-priority patch for OT environments.

Buffer Overflow Compactlogix 5370 Compact Guardlogix 5370 Controllogix 5570 Guardlogix 5570
NVD
CVSS 4.0
9.2
EPSS
0.3%
CVE-2025-12011 CRITICAL Act Now

Remote denial-of-service in Rockwell Automation CompactLogix 5370, Compact GuardLogix 5370, ControlLogix 5570, and GuardLogix 5570 controllers allows a remote user to push a malformed project file that forces the controller into a Major Non-Recoverable Fault (MNRF), halting the controlled process until manual recovery. The CVSS 4.0 score of 9.2 reflects high availability impact on both the controller and the downstream physical process (VA:H/SA:H) with no authentication or user interaction required per the vendor vector. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the loss of a safety-rated (GuardLogix) controller makes availability the dominant concern.

Buffer Overflow Compactlogix 5370 Compact Guardlogix 5370 Controllogix 5570 Guardlogix 5570
NVD
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-56169 HIGH PATCH Exploit Unlikely This Week

Privilege elevation in Microsoft Windows Admin Center allows an already-authenticated (low-privileged) network attacker to bypass improper authentication controls and gain higher privileges, exposing high-value confidentiality and integrity impact. Rated CVSS 8.1 with low attack complexity and no user interaction, the flaw is remotely reachable but requires an existing authorized session. No public exploit identified at time of analysis; Microsoft has released a fix via the MSRC update guide.

Authentication Bypass Microsoft Windows Admin Center
NVD VulDB
CVSS 3.1
8.1
EPSS
0.5%
CVE-2026-55954 CRITICAL PATCH Act Now

Authentication bypass by spoofing in the Elixir ueberauth_apple strategy (0.1.0 through 0.6.1) allows full account takeover because the callback id_token's signature is checked against Apple's JWKS but its registered claims are never validated. Remote unauthenticated attackers who obtain any Apple-signed token carrying the victim's sub - an expired token or one issued to a sibling client in the same Apple developer team - can replay it to log in as the victim. No public exploit identified at time of analysis, but the vendor-confirmed fix (0.6.2) and a clear replay path make this a high-priority auth flaw; EPSS and KEV data were not provided.

Apple Authentication Bypass Ueberauth Apple
NVD GitHub
CVSS 4.0
9.1
EPSS
0.4%
CVE-2026-44761 CRITICAL NEWS Act Now

Authentication bypass via well-known default credentials in SAP Commerce Cloud allows an unauthenticated remote attacker to abuse a pre-provisioned sample OAuth2 client whose client ID and secret are published in SAP Help Portal documentation. If the sample client is left in place, the attacker mints a valid OAuth2 access token and calls certain APIs to read and modify business data (CVSS 9.1, high confidentiality and integrity impact, no availability impact). No public exploit identified at time of analysis, but the credentials are publicly documented, making exploitation trivial wherever the sample configuration was never removed.

SAP Information Disclosure Sap Commerce Cloud
NVD
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-52101 CRITICAL Act Now

Information disclosure in andreimarcu Linx (linx-server) versions 1.0 through 2.3.8 lets remote attackers retrieve sensitive data through the uploadRemote function in upload.go, which fetches attacker-supplied remote URLs on the server's behalf. The flaw carries a CVSS 9.1 rating with a network, unauthenticated, low-complexity vector, so exploitation requires no credentials or user interaction. No public exploit is identified, though a third-party vulnerability report is published for the CVE.

Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-47304 HIGH PATCH Exploit Unlikely This Week

Security feature bypass in Microsoft .NET (shipped via Visual Studio 2022 17.12/17.14 and Visual Studio 2026 18.7) lets a remote, unauthenticated attacker defeat a cryptographic-signature check over the network — most likely a JWT/token signature verification flaw per the vendor 'Jwt Attack' and 'Authentication Bypass' tags. By forging or tampering with signed data the runtime fails to validate correctly, an attacker can impersonate trusted principals and undermine an authentication or integrity control. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Jwt Attack Microsoft Visual Studio 2022 Version 17 12 Microsoft Visual Studio 2022 Version 17 14 Microsoft Visual Studio 2026 Version 18 7
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-15747 CRITICAL PATCH Act Now

CSRF token disclosure in the Perl Mojolicious web framework (versions 4.59 up to but not including 9.48) allows a network attacker to recover a victim's session CSRF token via a BREACH compression side channel and then bypass csrf_protect validation. Because _csrf_token cached and returned one stable per-session value that _csrf_field embedded in every response, an attacker who could inject reflected input into a gzip-compressed page could iteratively guess the token by observing compressed response lengths. There is no public exploit identified at time of analysis, EPSS is low (0.15%), and it is not in CISA KEV, but SSVC rates technical impact as total and automatable as yes.

CSRF Oracle Mojolicious
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-55009 HIGH PATCH This Week

Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an already-authenticated attacker with low privileges to elevate to higher privileges by abusing unsafe deserialization of untrusted data. Microsoft reported the flaw and has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact on the affected host.

Microsoft Deserialization Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 +1
NVD
CVSS 3.1
7.8
EPSS
1.7%
CVE-2026-50646 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft .NET (Framework 3.5 through 4.8.1, .NET 8.0/9.0, and Visual Studio 2022/2026) arises from a protection mechanism failure (CWE-693) that lets an unauthorized attacker run arbitrary code once a victim is lured into opening a malicious file or project. The flaw requires user interaction (UI:R) and local delivery (AV:L) but no prior privileges (PR:N), yielding high confidentiality, integrity, and availability impact and a 7.8 CVSS score. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the ubiquity of .NET on Windows makes patching a priority.

Authentication Bypass Net 8 0 Net 9 0 Microsoft Net Framework 3 5 Microsoft Net Framework 3 5 And 4 7 2 +7
NVD
CVSS 3.1
7.8
EPSS
1.6%
CVE-2026-58647 HIGH PATCH This Week

Cross-site scripting (CWE-79) in Microsoft Power BI Report Server lets an authenticated, low-privileged attacker inject script that executes in another user's browser session, enabling spoofing of report content and hijacking of the victim's authenticated context over the network. Exploitation requires a victim to interact with attacker-controlled report content (UI:R). There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; a vendor patch is available per the MSRC advisory.

XSS Power Bi Report Server
NVD
CVSS 3.1
8.0
EPSS
0.5%
CVE-2026-47984 CRITICAL Act Now

Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plugin allows a remote unauthenticated attacker (PR:N/UI:N) to circumvent authorization checks and obtain unauthorized read and write access to protected resources. Rooted in an incorrect authorization flaw (CWE-863), it carries a critical 9.1 CVSS with high confidentiality and integrity impact and requires no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-facing, no-privilege profile on a high-value e-commerce platform makes it a strong patch priority.

Authentication Bypass Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD VulDB
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-47988 CRITICAL Act Now

Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows remote unauthenticated attackers to bypass security controls and obtain unauthorized read and write access to protected data or functionality. The flaw carries a CVSS 9.1 rating, requires no user interaction, and per the CVSS vector needs no privileges (PR:N). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, unauthenticated nature makes it high priority for internet-facing storefronts.

Authentication Bypass Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD VulDB
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-50006 CRITICAL GHSA Act Now

Arbitrary file write in Anyquery Server Mode (versions < 0.4.5) allows unauthenticated remote attackers to write files to any path the process can access by abusing SQLite's native ATTACH DATABASE command exposed over the MySQL-compatible listener. Because the server blindly proxies SQL to the underlying SQLite engine, an attacker can create files such as cron jobs, PHP web shells, or SSH authorized_keys and escalate the file write into remote code execution or denial of service. A working step-by-step proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-xrcf-6jh3-ggvx); there is no CISA KEV entry and no confirmed in-the-wild exploitation at time of analysis.

RCE Denial Of Service Path Traversal PHP
NVD GitHub
CVSS 3.1
9.1
CVE-2026-60082 CRITICAL PATCH Act Now

Out-of-bounds read in the Perl DBI (Database Independent Interface) module before version 1.651 lets a caller trigger a negative-array-index read inside the internal row-buffer helper (_set_fbav in DBI.xs), potentially disclosing adjacent process memory or crashing the interpreter. The flaw arises when a statement handle declares zero fields but is fed a non-empty source row, an inconsistency the module failed to reject before returning results. No public exploit has been identified at time of analysis and the issue is not on CISA KEV; the assigned CVSS of 9.1 reflects high confidentiality and availability impact under a network vector, but realistic exploitation depends on a caller (typically a DBD driver or database backend) supplying mismatched metadata and rows.

Buffer Overflow Information Disclosure Dbi
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-58319 CRITICAL PATCH Act Now

Missing authentication on Apache Doris Frontend (FE) HTTP REST administrative APIs allows any unauthenticated attacker with network reach to the FE HTTP service to invoke privileged administrative operations, degrading cluster integrity and availability up to full denial of service. All Apache Doris releases before 3.1.0 (per EUVD, the 2.1.0 through pre-3.1.0 line) are affected, and a fixed release exists in 3.1.0. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the 9.1 Critical CVSS reflects the trivial unauthenticated network exploitability rather than confirmed in-the-wild use.

Apache Authentication Bypass Denial Of Service Doris
NVD VulDB
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-27690 CRITICAL PATCH NEWS Act Now

Request-response desynchronization in SAP Approuter lets an unauthenticated remote attacker send a specially crafted HTTP request that smuggles a second request past the front end, allowing exposure of other users' HTTP responses and denial of service against the application. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) and was reported by SAP; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SAP Request Smuggling Information Disclosure Sap Approuter
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-48327 CRITICAL Act Now

Arbitrary code execution in Adobe ColdFusion allows an attacker with low-privileged access on an adjacent network to bypass authorization controls (CWE-863) and run code in the context of the current user, with a scope change that lets the impact extend beyond the vulnerable component. Adobe PSIRT reported the flaw and published advisory APSB26-82; it is tagged as RCE and authentication bypass with a CVSS 3.1 base score of 9.0. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the incorrect-authorization-to-RCE pattern in ColdFusion has historically drawn rapid attacker interest.

Authentication Bypass RCE Coldfusion
NVD VulDB
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-57898 CRITICAL PATCH Act Now

Unauthenticated arbitrary file write in Eclipse BaSyx Java Server SDK (2.0.0-milestone-05 through 2.0.0-milestone-12) lets remote attackers plant files anywhere the Java process can write when the server is deployed with the MongoDB file backend, potentially escalating to remote code execution. The AAS thumbnail API trusts a client-supplied fileName that is later reused as a filesystem path, so a traversal or absolute-path filename lands attacker-controlled bytes outside the intended directory. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-fixed release (2.0.0-milestone-13) is available.

Path Traversal RCE Java Eclipse Basyx Java Server Sdk
NVD VulDB
CVSS 3.1
9.0
EPSS
0.4%
CVE-2026-50649 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe deserialization of untrusted data (CWE-502), letting an unprivileged local attacker run arbitrary code in the context of the targeted process once a user is lured into opening or processing a malicious serialized payload. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, but the vector (AV:L/UI:R) confines it to local attacks that require user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 Microsoft Visual Studio 2022 Version 17 14 +1
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2026-15416 HIGH PATCH This Week

Remote code execution in the Argo CD repo-server component (as shipped in Red Hat OpenShift GitOps and the argoproj argo-helm chart) allows an unauthenticated attacker with network access to the repo-server to run arbitrary code and, under certain conditions, poison cached manifests to push malicious Kubernetes resources into managed clusters, enabling full cluster takeover. The root cause is missing authentication (CWE-306) on a critical internal service that the default Helm chart left network-exposed. There is no public exploit identified at time of analysis, but detailed third-party technical research (Synacktiv) and press coverage exist, and the flaw was reported unpatched at disclosure.

Authentication Bypass Red Hat RCE Kubernetes Argo Helm +3
NVD GitHub VulDB
CVSS 3.1
8.9
EPSS
0.3%
CVE-2026-47296 HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft SQL Server (2016 SP3 through 2025) allows an already-authenticated database user to escalate their privileges by injecting crafted special elements into an SQL command. Microsoft has released a fix and reported the flaw; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation requires existing low-level access, the realistic threat is an insider or a compromised low-privilege account pivoting to higher database privileges.

SQLi Microsoft Sql Server 2016 Service Pack 3 Gdr Microsoft Sql Server 2016 Service Pack 3 Azure Connect Feature Pack Microsoft Sql Server 2017 Cu 31 Microsoft Sql Server 2017 Gdr +6
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2026-47301 HIGH PATCH This Week

Privilege escalation in Microsoft Configuration Manager (versions 2509 and 2603) lets an already-authorized, low-privileged network user gain elevated privileges due to improper access control. Rated CVSS 8.8, the flaw yields full confidentiality, integrity, and availability impact and is remotely reachable, though it requires existing valid low-level access. Microsoft has released a patch; no public exploit identified at time of analysis.

Authentication Bypass Microsoft Microsoft Configuration Manager Microsoft Configuration Manager 2509 Microsoft Configuration Manager 2603
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-59733 HIGH PATCH This Week

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone serve restic --private-repos enforces authorization using the routed user path segment while building the backend object key from the raw uncleaned URL path, allowing an authenticated user to include .. in a request such as //..//config and read, overwrite, or delete another user's private repository on backends that clean path components. This issue is fixed in version 1.74.4.

Path Traversal
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-55033 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Word (and Office/SharePoint components that render Word content) stems from an integer overflow in the file-parsing path, letting an attacker who convinces a victim to open a crafted document run arbitrary code with the victim's privileges. It affects a broad Office footprint including Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, the macOS editions, and SharePoint Server 2016/2019/Subscription Edition. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 7.8 CVSS and Word's ubiquity make it a routine priority patch.

Buffer Overflow Microsoft Integer Overflow Microsoft 365 Apps For Enterprise Microsoft Office 2019 +9
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2026-50314 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and the macOS editions) arises from a use-after-free memory-corruption flaw (CWE-416) that lets an attacker run arbitrary code in the context of the current user after the victim opens a maliciously crafted document. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R) with high impact to confidentiality, integrity, and availability, and requires user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available via MSRC.

Use After Free Memory Corruption Denial Of Service Microsoft Microsoft 365 Apps For Enterprise +7
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2026-55038 HIGH PATCH This Week

Arbitrary code execution in Microsoft Office Word (and the broader Office/365/SharePoint family) arises from a stack-based buffer overflow (CWE-121) that an attacker triggers when a victim opens a maliciously crafted document. The CVSS 3.1 vector (AV:L/UI:R) confirms this is a file-borne, local-context flaw requiring the user to open attacker-supplied content, yielding full confidentiality, integrity, and availability impact in the user's session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch via MSRC.

Buffer Overflow Stack Overflow Microsoft Microsoft 365 Apps For Enterprise Microsoft Office 2019 +9
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2026-47290 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Office (including Microsoft 365 Apps for Enterprise, Office 2016/2019, and Office LTSC 2021/2024) stems from a use-after-free memory-corruption flaw (CWE-416). An attacker who convinces a user to open a specially crafted Office document can execute arbitrary code in the context of the current user, gaining full confidentiality, integrity, and availability impact. Exploitation requires user interaction (opening a malicious file) and there is no public exploit identified at time of analysis.

Use After Free Memory Corruption Denial Of Service Microsoft Microsoft 365 Apps For Enterprise +4
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2026-55132 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Word (part of Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and Office for Mac) stems from a double free of heap memory (CWE-415) that lets an unauthorized attacker run arbitrary code when a victim opens a malicious document. The flaw was reported by Microsoft, carries CVSS 7.8, and a vendor patch is available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation requires the target to open a crafted file (UI:R), it is a user-interaction-gated client-side RCE rather than a remotely-triggerable service bug.

Authentication Bypass Microsoft Microsoft 365 Apps For Enterprise Microsoft Office 2019 Microsoft Office 365 For Mac +8
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2026-55022 HIGH PATCH NEWS Exploit Unlikely This Week

Local arbitrary code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office for Mac 2021/2024) arises from a type-confusion flaw (CWE-843) that lets an attacker run code in the context of the current user when a victim opens a crafted file. The CVSS 3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R) reflecting local vector with required user interaction and high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available via MSRC.

Microsoft Memory Corruption Authentication Bypass Microsoft 365 Apps For Enterprise Microsoft Office 2016 +6
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2026-55120 HIGH PATCH NEWS Exploit Unlikely This Week

Arbitrary code execution in Microsoft PowerPoint (and the broader Microsoft Office/365 suite on Windows and macOS) arises from a heap-based buffer overflow (CWE-122) triggered when a victim opens a maliciously crafted presentation file. An attacker who cannot log in to the target can still run code in the context of the current user by convincing that user to open the booby-trapped file, giving full confidentiality, integrity, and availability impact on the affected host. Microsoft has released a patch; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Heap Overflow Buffer Overflow Microsoft Microsoft 365 Apps For Enterprise Microsoft Office 2019 +6
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-55123 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Office PowerPoint (including Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, and their macOS variants) arises from a heap-based buffer overflow triggered when a victim opens a maliciously crafted presentation file. Successful exploitation runs attacker-controlled code with the privileges of the current user, yielding full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Microsoft has released a patch.

Heap Overflow Buffer Overflow Microsoft Microsoft 365 Apps For Enterprise Microsoft Office 2019 +6
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-55043 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Office PowerPoint (CWE-122 heap-based buffer overflow) lets an unauthorized attacker run arbitrary code when a victim opens a maliciously crafted presentation file. The flaw affects a broad Office footprint - PowerPoint 2016, Office 2019, Office LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and multiple Office for Mac builds - and requires user interaction (opening the file) but no prior privileges. A vendor patch is available via MSRC; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Heap Overflow Buffer Overflow Microsoft Microsoft 365 Apps For Enterprise Microsoft Office 2019 +6
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-55127 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Word (and the wider Microsoft Office / Microsoft 365 Apps family) lets an unauthorized attacker run arbitrary code when a victim opens a maliciously crafted Word document that triggers a heap-based buffer overflow. All impacted SKUs - Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021/2024, the macOS Office builds, and SharePoint Server (which renders Office documents server-side) - are affected, and Microsoft has released a patch. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Heap Overflow Buffer Overflow Microsoft Microsoft 365 Apps For Enterprise Microsoft Office 2019 +9
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-55018 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps for Enterprise, and Office for Mac) stems from a use-after-free memory corruption (CWE-416) that an attacker triggers when a victim opens a maliciously crafted document. Rated CVSS 7.8 with high confidentiality, integrity, and availability impact, exploitation requires user interaction but no prior authentication, letting an attacker run arbitrary code in the context of the current user. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a fix, so patching should be prioritized during the normal Patch Tuesday cycle.

Use After Free Memory Corruption Denial Of Service Microsoft Microsoft 365 Apps For Enterprise +7
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-50467 HIGH PATCH NEWS Exploit Unlikely This Week

Local code execution in Microsoft Office (2016, 2019, LTSC 2021/2024, Microsoft 365 Apps, and Office for Mac 2021/2024) arises from a use-after-free memory corruption flaw that an attacker triggers by convincing a user to open a maliciously crafted Office document. Successful exploitation runs arbitrary code in the context of the current user, yielding full confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; Microsoft has published a patch via MSRC.

Use After Free Memory Corruption Denial Of Service Microsoft Microsoft 365 Apps For Enterprise +7
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-15776 HIGH PATCH This Week

Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.125 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Google Memory Corruption RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-47305 HIGH PATCH This Week

Local code execution in Microsoft Visual Studio (2022 versions 17.12 and 17.14, and 2026 version 18.7) stems from a protection mechanism failure that lets an unauthorized attacker run arbitrary code once a victim is convinced to open or interact with a malicious project, file, or solution. Microsoft has published a fix, but there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The CVSS 3.1 base score is 7.8, reflecting high confidentiality, integrity, and availability impact requiring local access plus user interaction.

Authentication Bypass Microsoft Visual Studio 2022 Version 17 12 Microsoft Visual Studio 2022 Version 17 14 Microsoft Visual Studio 2026 Version 18 7
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-15767 HIGH PATCH This Week

Heap buffer overflow in libyuv in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)

Google Heap Overflow Buffer Overflow Microsoft RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-58538 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Bluetooth Service affects a broad range of Microsoft Windows client and server editions (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025). A heap-based buffer overflow (CWE-122) lets an already-authenticated local attacker corrupt kernel/service memory to elevate from a low-privileged account to SYSTEM. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available from Microsoft.

Heap Overflow Buffer Overflow Microsoft Windows 10 Version 1809 Windows 10 Version 21H2 +9
NVD
CVSS 3.1
7.8
EPSS
0.3%
Prev Page 3 of 20 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy