Microsoft
Monthly
Full-read SSRF in Koel's podcast subscription feature allows any authenticated user to coerce the server into fetching internal HTTP endpoints - including cloud instance metadata services - and receive the full response. The vulnerability exists because PHP's `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` does not unwrap NAT64 (`64:ff9b::/96`) or 6to4 (`2002::/16`) IPv6 transition addresses, both of which deterministically embed a private IPv4 that the OS kernel routes internally. This affects all Koel deployments through v9.7.0 on NAT64 or dual-stack networks (the default for IPv6-only AWS and GCP subnets); a detailed proof-of-concept with verbatim server output is published in the advisory. No public exploit code is in KEV at time of analysis, but the PoC substantially lowers the exploitation barrier.
Server-side request forgery in Koel (self-hosted PHP music-streaming server, all releases up to and including 9.7.0) lets any authenticated low-privilege user coerce the server into requesting arbitrary internal or cloud-metadata endpoints. The flaw is an incomplete fix for CVE-2026-47260: the initial isSafeUrl() check was added to several podcast/radio fetchers, but per-redirect-hop re-validation was wired into only one path (EpisodePlayable), leaving every sibling fetcher bypassable via an attacker-controlled host that returns an HTTP 302 to an internal address, and all paths bypassable via DNS rebinding. A researcher mechanism PoC confirms exploitation; not listed in CISA KEV and no evidence of active exploitation.
Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible server) prior to 1.36.0, where the /connect/authorize endpoint fails to bind the OAuth state parameter to the initiating browser session, accepts attacker-controlled PKCE parameters, and leaves SsoAuth records intact after a failed token exchange. By tricking a victim into completing IdP authentication (UI:R), an unauthenticated attacker can redeem the resulting tokens for a fully authenticated session and take over the victim's vault. Rated CVSS 8.3 (CWE-352) with no public exploit identified at time of analysis and no CISA KEV listing.
SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 lets an authenticated user who holds the office-view permission inject arbitrary SQL through the orderBy request parameter. Because it bypasses the ColumnValidator hardening added for CVE-2024-32838, an attacker can run time-based blind SQL injection to exfiltrate database contents and, by launching concurrent injections that hold connections open, exhaust the database connection pool to cause denial of service. No public exploit identified at time of analysis; the flaw is documented via an oss-security advisory and an upstream fix pull request (apache/fineract #6048).
Microsoft AVML before 0.17.0 could follow a symlink when opening a destination output path on Unix, allowing truncation/overwrite of the symlink target. The destructive effect is performed at open-time via O_TRUNC, and can happen before full input validation completes (“truncation-before-validation”).
Use after free in Core in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in Media in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in libyuv in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)
Privilege escalation in Microsoft Configuration Manager (versions 2509 and 2603) lets an already-authorized, low-privileged network user gain elevated privileges due to improper access control. Rated CVSS 8.8, the flaw yields full confidentiality, integrity, and availability impact and is remotely reachable, though it requires existing valid low-level access. Microsoft has released a patch; no public exploit identified at time of analysis.
Devolutions Server 2026.1.22.0 and 2026.2.11.0 exposes Azure Key Vault client secrets in cleartext within Recovery Kit response files, defeating an explicit 'exclude sensitive data' option that administrators rely on. Any party who obtains a copy of the generated response file can trivially read the credential without any decryption or tooling. No public exploit code exists and the vulnerability is not in CISA KEV; however, because successful exploitation yields a reusable cloud credential, the downstream blast radius in Azure environments substantially exceeds what the 3.3 CVSS base score suggests. A vendor-released patch is available.
Stored CSV formula injection in FacturaScripts (all versions through 2026.1) lets an authenticated low-privilege user plant spreadsheet formula payloads in ordinary text fields (customer/supplier/product names, contacts) that execute when an administrator opens a routine list export. Because Core/Lib/Export/CSVExport.php::writeData() wraps values without neutralising leading =,+,-,@,tab, or carriage-return characters, and Tools::noHtml() only strips HTML metacharacters, the payload reaches the CSV verbatim and Excel/LibreOffice run it (including DDE process spawning) in the admin's OS context. A live PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no active exploitation confirmed (not in CISA KEV).
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
Spoofing via origin validation error in the Windows Network Address Translation (NAT) component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, including Server Core installations. An unauthenticated attacker positioned on an adjacent network segment can bypass origin/authentication checks (CWE-346) to impersonate a trusted source, with Microsoft rating scope-changed high impact to confidentiality, integrity, and availability (CVSS 8.3). No public exploit identified at time of analysis, though high attack complexity limits reliable exploitation.
Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.
Local privilege escalation in the Microsoft Windows Client-Side Caching (CSC) Service, driven by a use-after-free (CWE-416) memory-corruption flaw affecting Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. An authorized attacker who already holds low-level privileges (PR:L) on the host can trigger the freed-object reuse to gain elevated, likely SYSTEM-level, privileges. The issue was reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and no CISA KEV listing.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows DirectX graphics subsystem allows an authenticated attacker with low privileges to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.0 (High), tempered by high attack complexity.
Local privilege escalation in the Windows Wireless Networking component affects a broad span of currently supported Windows releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025), letting an already-authenticated local user win a timing race to gain SYSTEM-level control. The flaw is a CWE-362 race condition where improperly synchronized access to a shared resource can be manipulated during a narrow execution window; CVSS 7.8 reflects a high-complexity but high-impact local escalation with a scope change. Microsoft (the reporter) has shipped a patch, and there is no public exploit identified at time of analysis.
Denial of service in the Microsoft Windows DHCP Server role allows a remote, unauthenticated attacker to exhaust server resources and knock the service offline over the network. The flaw affects a broad range of supported Windows Server releases (2012 through 2025, including Server Core installations) and carries a CVSS 7.5 rating driven entirely by availability impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Remote code execution in Windows Remote Desktop Services (RDS) allows an authenticated network attacker to run arbitrary code by triggering a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of currently-supported Windows client and server builds - Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2022/2025 (including Server Core). It was reported by Microsoft with a CVSS 8.8 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network vector combined with only low-privilege requirements makes it a strong patch priority.
Local privilege escalation in Microsoft Windows Sensor Data Service arises from a use-after-free (CWE-416) memory corruption flaw that an already-authenticated attacker can trigger to run code at higher privilege. It affects a broad range of client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; no public exploit identified at time of analysis, and the CVSS:3.1 score is 7.0 (High).
Privilege elevation in Microsoft 365 Copilot for iOS lets a remote, unauthenticated attacker gain elevated access after a targeted user is lured into interacting with attacker-controlled content, per Microsoft's MSRC advisory. The flaw stems from improper access control (CWE-284) and carries a High CVSS 3.1 base score of 8.1 with high confidentiality and integrity impact but no availability impact. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available.
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) lets an authenticated low-privileged user corrupt kernel memory to gain SYSTEM-level control. The flaw is a use-after-free (CWE-416) affecting a broad range of Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019-2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Microsoft Windows Remote Desktop (RDP) component allows an unauthenticated attacker to run arbitrary code by triggering an integer overflow, but only when a victim is convinced to interact (per CVSS UI:R) - most consistent with a malicious RDP server coercing a connecting client. The flaw affects a broad range of supported Windows client and server releases from Windows Server 2012/Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS data was not provided.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated attacker to gain SYSTEM-level privileges by triggering a type-confusion (CWE-843) condition. The flaw affects a broad range of supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Reported internally by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges with a physical attack.
Local code execution in Windows Media on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an attacker run arbitrary code by luring a user into opening a maliciously crafted media file. The CVSS 3.1 base score is 7.8 with full confidentiality, integrity, and availability impact but requiring user interaction, and there is no public exploit identified at time of analysis. Microsoft has released a patch via MSRC.
Elevation of privilege in Microsoft Windows Management Services lets a low-privileged local user corrupt memory through a use-after-free (CWE-416) and gain higher privileges on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A successful exploit yields high confidentiality, integrity, and availability impact, but the CVSS vector marks high attack complexity, reflecting the race-condition timing typically needed to win a use-after-free. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Improper access control in Windows Kernel allows an authorized attacker to bypass a security feature locally.
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free memory corruption condition. The flaw affects a broad range of Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and was reported by Microsoft. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Input Method Editor (IME) component shipped across Windows 10, Windows 11, and Windows Server 2016 through 2025 allows an authenticated, low-privileged user to corrupt heap memory and gain SYSTEM-level control. The flaw (CWE-122 heap-based buffer overflow) carries a scope-changing CVSS 3.1 score of 8.8, meaning successful exploitation escapes the caller's security boundary. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft's NAT Helper Components (ipnathlp.dll), the driver behind Internet Connection Sharing and NAT translation on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. An authenticated attacker who already has low-privilege access can exploit a use-after-free memory corruption bug to run code at higher privilege (SYSTEM). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a patch.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to elevate to SYSTEM by triggering an integer overflow (CWE-190) in a kernel code path. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and no EPSS or KEV data supplied.
Elevation of privilege in the Windows SMB implementation allows an authenticated network attacker to win a race condition and gain higher privileges on affected systems, spanning Windows 10, Windows 11, and Windows Server 2012 through 2025. The flaw is a concurrency defect (CWE-362) reported by Microsoft with a vendor patch already released; there is no public exploit identified at time of analysis. Note a data conflict: the description and CVSS impacts describe privilege elevation with full confidentiality/integrity/availability impact, while the intelligence tags also label it 'Information Disclosure' — the CVSS vector should be treated as authoritative.
Local privilege escalation in Microsoft Windows Installer (msiexec/MSI service) lets an already-authenticated low-privilege user elevate to SYSTEM by abusing an improper authorization check (CWE-285). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025, including Server Core installations. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, so risk is currently potential rather than confirmed in-the-wild exploitation.
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Local privilege escalation in the Windows Bluetooth Service affects a broad range of Microsoft Windows client and server editions (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025). A heap-based buffer overflow (CWE-122) lets an already-authenticated local attacker corrupt kernel/service memory to elevate from a low-privileged account to SYSTEM. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local code execution in Microsoft Windows' Resilient File System (ReFS) driver lets an attacker run arbitrary code by inducing a victim to mount or open a maliciously crafted ReFS volume. The flaw is a heap-based buffer overflow (CWE-122) in ReFS metadata parsing affecting Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025. CVSS is 7.8 (AV:L/UI:R); there is no public exploit identified at time of analysis and it is not in CISA KEV, so exploitation would require crafting a malicious volume and social-engineering the user to attach it.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Local privilege escalation in the Windows Runtime (WinRT) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2022/2025, where a race condition in shared-resource handling lets an already-authenticated local user win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and the CVSS base score is 7.8 (High). Note that Microsoft's tags label this as Information Disclosure while the description and CVSS impact metrics describe full privilege elevation - this discrepancy should be verified against the vendor advisory.
Privilege elevation in Microsoft SharePoint Server (Enterprise Server 2016 and Server 2019) allows an authenticated network attacker to abuse an improper authorization check to gain higher privileges within the SharePoint environment. The flaw is tagged as an authentication bypass and carries a CVSS 8.8, reflecting high impact to confidentiality, integrity, and availability from a low-privileged starting point. Microsoft has released a patch; there is no public exploit identified at time of analysis and no CISA KEV listing.
Information disclosure via uninitialized resource use in Windows Remote Desktop Protocol (RDP) exposes sensitive memory contents to authenticated remote attackers across a wide range of Microsoft Windows desktop and server editions. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is exploitable over the network by any low-privileged authenticated user with no complexity or interaction requirements, yielding high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low barrier to exploitation and the ubiquitous deployment of Windows RDP make this a meaningful patching priority.
Time-of-check time-of-use (toctou) race condition in Windows Subsystem for Linux allows an authorized attacker to perform tampering locally.
Local privilege escalation in Microsoft's Windows Subsystem for Linux (WSL2) allows a low-privileged authenticated user on the Windows host to elevate to higher privileges by triggering a buffer over-read (CWE-126). Microsoft (the reporting vendor) has released a fix via MSRC, and there is no public exploit identified at time of analysis. With a CVSS 3.1 base score of 7.8 and full high impact to confidentiality, integrity and availability, it is a meaningful local EoP but requires prior code-execution access on the machine.
Local privilege escalation in Microsoft Windows Routing and Remote Access Service (RRAS) allows an authenticated low-privileged attacker to elevate to SYSTEM by triggering a heap-based buffer overflow (CWE-122). The flaw affects a broad range of Windows client and server versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through Server 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free (CWE-416) in the kernel-mode driver. All actively serviced Windows client (10 1607 through 11 26H1) and Server (2012 through 2025) editions are affected, and Microsoft has released patches. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Windows Media Foundation allows an unauthenticated attacker to run arbitrary code by tricking a user into opening a maliciously crafted media file or stream. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available via the Microsoft Security Response Center.
Elevation of privilege in the Windows Hyper-V virtual network switch (VMSwitch) lets an authenticated attacker operating from a guest partition corrupt kernel memory via a use-after-free and gain higher privileges, with a scope change (S:C) indicating a guest-to-host escape. Rated CVSS 9.9 and affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025, this issue was reported by Microsoft and has a vendor patch available. No public exploit is identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.
Remote code execution in the Windows SMB Server network transport driver (srvnet.sys) lets an unauthenticated network attacker win a use-after-free race to run arbitrary code, affecting Windows 10, Windows 11, and Windows Server 2012 through 2025. Per its CVSS vector the flaw requires user interaction and high attack complexity, so exploitation is non-trivial rather than a trivial wormable hit. This was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Windows File History Service lets an authenticated, low-privileged attacker corrupt a stack buffer (CWE-121) to run code with elevated (SYSTEM-level) privileges on affected Windows client and server releases. The flaw spans a broad range of supported editions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025, including Server Core installations. No public exploit was identified at time of analysis, and the CVE is not listed in CISA KEV.
Remote code execution in Microsoft Windows Media Foundation lets an unauthenticated attacker run arbitrary code in the victim's context by delivering a malicious media file or stream that the target opens or plays. The flaw affects the Media Foundation multimedia framework across supported Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025 builds, and carries CVSS 8.8. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS profile of confidentiality, integrity, and availability all rated High marks this as a high-priority client-side RCE.
Remote code execution in Microsoft Windows Media Foundation lets an unauthenticated network attacker run arbitrary code on the victim's machine when the target opens or renders a maliciously crafted media file or stream. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Server 2016 through Server 2025. No public exploit identified at time of analysis, but the low complexity and network vector make it a high-priority patch item; exploitation requires user interaction (UI:R).
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in the Windows Network File System (NFS) component allows an authenticated attacker to elevate to SYSTEM by triggering a heap-based buffer overflow (CWE-122). Reported by Microsoft and affecting a broad range of Windows 10, Windows 11, and Windows Server 2012-2025 releases, with a vendor patch available via MSRC. No public exploit identified at time of analysis, and no CISA KEV listing.
Use of uninitialized resource in Windows File Explorer allows an unauthorized attacker to disclose information locally.
Use of uninitialized resource in Microsoft Windows Codecs Library allows an unauthorized attacker to disclose information locally.
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Network File System allows an unauthorized attacker to execute code over a network.
Elevation of privilege in the Windows Network File System (NFS) component affects a broad range of Microsoft platforms - Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025 - where an authorized attacker can win a time-of-check/time-of-use (TOCTOU) race condition over the network to gain higher privileges. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but high-complexity flaw requiring low-level existing privileges, with full high impact to confidentiality, integrity and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a Microsoft (MSRC) patch is available.
Privilege escalation in the Windows Remote Access Service (RRAS) Infrastructure allows an authenticated attacker to elevate privileges over the network by triggering an integer overflow (CWE-190) in affected code paths. The flaw affects a broad range of Windows 10, Windows 11, and Windows Server releases (2012 R2 through 2025), and Microsoft has released a patch. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network-reachable EoP profile with only low privileges required makes it a meaningful patch priority.
Privilege escalation via a heap-based buffer overflow in the Windows Network File System (NFS) role lets an authenticated, low-privileged network attacker send crafted requests to corrupt server heap memory and gain elevated privileges. Affected systems span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025 wherever the Server for NFS role is present. No public exploit was identified at time of analysis and the flaw is not in CISA KEV, but the 8.8 CVSS with a network-reachable, low-complexity, no-user-interaction profile makes it a meaningful patch priority on NFS hosts.
Local code execution in Microsoft Windows Terminal (shipped on Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2022/2025) arises from an integer overflow (CWE-190) that an unauthorized attacker can trigger, but only after luring a logged-on user into interacting with malicious content. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, so this is a defense-in-depth patch rather than an emergency, though the CVSS 7.8 reflects full confidentiality, integrity, and availability impact once triggered. Microsoft has released a patch via the MSRC update guide.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption condition, spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2016 through 2025. Reported by Microsoft with a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N), the flaw grants full confidentiality, integrity, and availability impact on the local system. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.
Local privilege escalation in the Microsoft Windows Kernel (CWE-416 use-after-free) lets an already-authenticated low-privilege user corrupt kernel memory and gain SYSTEM-level control across a broad range of Windows 10, Windows 11, and Windows Server 2016 through 2025 builds. Microsoft self-reported the flaw and has shipped a patch through the Update Guide; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 (AV:L/PR:L) it is a classic Patch-Tuesday local EoP suitable as a second-stage primitive after initial access.
Remote code execution in Microsoft Fabric Data Warehouse allows an authenticated attacker to run arbitrary code over the network by triggering a stack-based buffer overflow (CWE-121). The flaw carries a CVSS 8.8 rating with high impact to confidentiality, integrity, and availability, and requires only low-privilege access with no user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but a vendor patch is available via MSRC.
Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.
Authenticated remote code execution in Microsoft Windows Admin Center (CWE-77) lets an attacker with low-privilege access inject and run arbitrary commands over the network, yielding full confidentiality, integrity, and availability compromise (CVSS 8.8). Microsoft has released a patch; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Windows Admin Center allows an authenticated attacker to run arbitrary code over the network by exploiting a relative path traversal (CWE-23) flaw. Any user holding valid low-privilege credentials to the WAC gateway can leverage the traversal to break out of the intended file path and achieve full compromise (confidentiality, integrity, and availability impact all High). Microsoft has published a patch via MSRC; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Out-of-bounds read in Microsoft Office exposes sensitive memory contents to a local, unauthenticated attacker who can induce a user to open a malicious document. Affected products span the full current Office portfolio - Office 2016 through LTSC 2024 on both Windows and macOS - making the blast radius broad despite the local attack vector. No public exploit identified at time of analysis and SSVC classifies exploitation as none and not automatable, though the high confidentiality impact (C:H) and near-universal deployment of Office keep this a meaningful patching priority.
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
Information disclosure in Microsoft Office (Microsoft 365 Apps, Office 2016/2019, Office LTSC 2021/2024, and Office for Mac) arises from an out-of-bounds read (CWE-125) that lets an attacker who convinces a victim to open a crafted file read memory beyond an intended buffer boundary. Exploitation is local and requires user interaction, and there is no public exploit identified at time of analysis and no CISA KEV listing. Disclosed memory can leak sensitive data such as heap contents or pointer addresses useful for defeating ASLR in a follow-on exploit chain.
Local code execution in Microsoft Windows Media Foundation (CWE-122 heap-based buffer overflow) lets an unauthorized attacker run arbitrary code when a victim opens a maliciously crafted media file or content that the platform parses. It affects a broad range of Windows client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Windows Server Network driver stems from a race condition (CWE-362) that lets an unauthorized attacker execute arbitrary code across a wide range of Microsoft Windows client and server builds, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with full confidentiality, integrity, and availability impact, and an 'Authentication Bypass' tag suggests the flaw can also subvert access controls. There is no public exploit identified at time of analysis and no CISA KEV listing, but the network-facing, pre-authentication nature makes it a high-priority patch.
Information disclosure in Microsoft Windows Schannel (the Secure Channel TLS/SSL provider) lets an authenticated, network-adjacent attacker read memory beyond an allocated buffer and leak sensitive data across a network connection. The flaw spans nearly the entire supported Windows family - Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a fix available; there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory corruption lets an already-authorized local user run code with elevated privileges. Microsoft rates it CVSS 7.0 and has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is non-trivial due to high attack complexity and requires the attacker to already hold low-level local privileges.
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Windows Remote Desktop (RDP) allows an unauthorized network attacker to run arbitrary code by triggering the use of an uninitialized resource (CWE-908). All currently supported Windows client and server releases are affected, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. The CVSS 3.1 base score is 9.8 with a network, no-privileges, no-interaction vector; there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory-corruption flaw lets an already-authenticated local user elevate to higher privileges. Exploitation requires winning a race condition (high attack complexity), and Microsoft has released a fix; no public exploit identified at time of analysis. Rated CVSS 7.0 with full confidentiality, integrity, and availability impact once triggered.
Local privilege escalation in the Windows NTFS file system driver allows an authenticated low-privileged user to gain SYSTEM-level rights by triggering an integer overflow (CWE-190) during filesystem processing. It affects a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local privilege escalation in the Windows NTFS driver lets an already-authenticated attacker corrupt heap memory to run code at a higher privilege level (typically SYSTEM) on affected Windows 10, Windows 11, and Windows Server builds. Microsoft reported the issue and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 (AV:L/PR:L) it is a valuable post-compromise pivot rather than an initial-access bug.
Local privilege escalation in the Win32k GRFX subsystem across Windows 10, Windows 11, and Windows Server 2012 through 2025 lets an authenticated low-privileged local attacker elevate to SYSTEM by triggering an out-of-bounds read (CWE-125). The flaw was reported internally by Microsoft, a vendor patch is available via MSRC, and there is no public exploit identified at time of analysis. CVSS is 7.8 (High), reflecting a local vector with low complexity and low privileges required.
Local privilege elevation in the Windows WebView component affects a broad range of currently-supported Windows client and server builds (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025). By triggering a use-after-free (CWE-416) memory-corruption condition, an already-authenticated low-privilege attacker can execute code in a higher-privilege context, yielding full confidentiality, integrity, and availability impact on the local system. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Null pointer dereference in Windows SMB Server allows an authorized attacker to deny service over a network.
Local privilege escalation in Microsoft XML Core Services (MSXML) lets a low-privileged, authorized attacker on a Windows host reclaim a freed object (use-after-free, CWE-416) to run code at elevated privilege. It affects a broad Windows footprint spanning Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025, including Server Core installations. Microsoft reported the flaw, a patch is available, and there is no public exploit identified at time of analysis; CISA SSVC currently rates exploitation as none.
Remote code execution in the Microsoft Windows DHCP Server role allows an unauthenticated network attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) in the service's packet handling. The flaw carries a CVSS 9.8 with a fully remote, no-interaction, no-privilege vector and affects Windows Server 2012 through 2025 (plus the Windows 10 1607/1809 code base). At time of analysis there is no public exploit identified and the issue is not listed in CISA KEV, but the unauthenticated network-facing nature of the DHCP service makes it a high-priority patch.
Improper access control in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Local code execution in Microsoft Office Excel (across Microsoft 365 Apps for Enterprise, Office LTSC 2021/2024, and their macOS counterparts) arises from a heap-based buffer overflow (CWE-122) triggered when a victim opens a maliciously crafted spreadsheet. An unauthorized attacker can achieve arbitrary code execution in the context of the current user, gaining high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but a vendor patch is available from Microsoft.
Full-read SSRF in Koel's podcast subscription feature allows any authenticated user to coerce the server into fetching internal HTTP endpoints - including cloud instance metadata services - and receive the full response. The vulnerability exists because PHP's `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` does not unwrap NAT64 (`64:ff9b::/96`) or 6to4 (`2002::/16`) IPv6 transition addresses, both of which deterministically embed a private IPv4 that the OS kernel routes internally. This affects all Koel deployments through v9.7.0 on NAT64 or dual-stack networks (the default for IPv6-only AWS and GCP subnets); a detailed proof-of-concept with verbatim server output is published in the advisory. No public exploit code is in KEV at time of analysis, but the PoC substantially lowers the exploitation barrier.
Server-side request forgery in Koel (self-hosted PHP music-streaming server, all releases up to and including 9.7.0) lets any authenticated low-privilege user coerce the server into requesting arbitrary internal or cloud-metadata endpoints. The flaw is an incomplete fix for CVE-2026-47260: the initial isSafeUrl() check was added to several podcast/radio fetchers, but per-redirect-hop re-validation was wired into only one path (EpisodePlayable), leaving every sibling fetcher bypassable via an attacker-controlled host that returns an HTTP 302 to an internal address, and all paths bypassable via DNS rebinding. A researcher mechanism PoC confirms exploitation; not listed in CISA KEV and no evidence of active exploitation.
Session hijacking via a broken SSO/OAuth authorization flow affects Vaultwarden (the Rust-based Bitwarden-compatible server) prior to 1.36.0, where the /connect/authorize endpoint fails to bind the OAuth state parameter to the initiating browser session, accepts attacker-controlled PKCE parameters, and leaves SsoAuth records intact after a failed token exchange. By tricking a victim into completing IdP authentication (UI:R), an unauthenticated attacker can redeem the resulting tokens for a fully authenticated session and take over the victim's vault. Rated CVSS 8.3 (CWE-352) with no public exploit identified at time of analysis and no CISA KEV listing.
SQL injection in Apache Fineract's Office Search API (GET /api/v1/offices) in all versions up to and including 1.14.0 lets an authenticated user who holds the office-view permission inject arbitrary SQL through the orderBy request parameter. Because it bypasses the ColumnValidator hardening added for CVE-2024-32838, an attacker can run time-based blind SQL injection to exfiltrate database contents and, by launching concurrent injections that hold connections open, exhaust the database connection pool to cause denial of service. No public exploit identified at time of analysis; the flaw is documented via an oss-security advisory and an upstream fix pull request (apache/fineract #6048).
Microsoft AVML before 0.17.0 could follow a symlink when opening a destination output path on Unix, allowing truncation/overwrite of the symlink target. The destructive effect is performed at open-time via O_TRUNC, and can happen before full input validation completes (“truncation-before-validation”).
Use after free in Core in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Insufficient validation of untrusted input in Media in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in libyuv in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)
Privilege escalation in Microsoft Configuration Manager (versions 2509 and 2603) lets an already-authorized, low-privileged network user gain elevated privileges due to improper access control. Rated CVSS 8.8, the flaw yields full confidentiality, integrity, and availability impact and is remotely reachable, though it requires existing valid low-level access. Microsoft has released a patch; no public exploit identified at time of analysis.
Devolutions Server 2026.1.22.0 and 2026.2.11.0 exposes Azure Key Vault client secrets in cleartext within Recovery Kit response files, defeating an explicit 'exclude sensitive data' option that administrators rely on. Any party who obtains a copy of the generated response file can trivially read the credential without any decryption or tooling. No public exploit code exists and the vulnerability is not in CISA KEV; however, because successful exploitation yields a reusable cloud credential, the downstream blast radius in Azure environments substantially exceeds what the 3.3 CVSS base score suggests. A vendor-released patch is available.
Stored CSV formula injection in FacturaScripts (all versions through 2026.1) lets an authenticated low-privilege user plant spreadsheet formula payloads in ordinary text fields (customer/supplier/product names, contacts) that execute when an administrator opens a routine list export. Because Core/Lib/Export/CSVExport.php::writeData() wraps values without neutralising leading =,+,-,@,tab, or carriage-return characters, and Tools::noHtml() only strips HTML metacharacters, the payload reaches the CSV verbatim and Excel/LibreOffice run it (including DDE process spawning) in the admin's OS context. A live PoC was verified on 2026-04-30, so publicly available exploit code exists, though there is no active exploitation confirmed (not in CISA KEV).
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
Spoofing via origin validation error in the Windows Network Address Translation (NAT) component affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, including Server Core installations. An unauthenticated attacker positioned on an adjacent network segment can bypass origin/authentication checks (CWE-346) to impersonate a trusted source, with Microsoft rating scope-changed high impact to confidentiality, integrity, and availability (CVSS 8.3). No public exploit identified at time of analysis, though high attack complexity limits reliable exploitation.
Missing cryptographic step in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.
Local privilege escalation in the Microsoft Windows Client-Side Caching (CSC) Service, driven by a use-after-free (CWE-416) memory-corruption flaw affecting Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. An authorized attacker who already holds low-level privileges (PR:L) on the host can trigger the freed-object reuse to gain elevated, likely SYSTEM-level, privileges. The issue was reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and no CISA KEV listing.
Local privilege escalation in the Windows Win32K kernel-mode subsystem allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in the Windows DirectX graphics subsystem allows an authenticated attacker with low privileges to elevate to SYSTEM by triggering a use-after-free (CWE-416) memory-corruption condition. The flaw affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.0 (High), tempered by high attack complexity.
Local privilege escalation in the Windows Wireless Networking component affects a broad span of currently supported Windows releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025), letting an already-authenticated local user win a timing race to gain SYSTEM-level control. The flaw is a CWE-362 race condition where improperly synchronized access to a shared resource can be manipulated during a narrow execution window; CVSS 7.8 reflects a high-complexity but high-impact local escalation with a scope change. Microsoft (the reporter) has shipped a patch, and there is no public exploit identified at time of analysis.
Denial of service in the Microsoft Windows DHCP Server role allows a remote, unauthenticated attacker to exhaust server resources and knock the service offline over the network. The flaw affects a broad range of supported Windows Server releases (2012 through 2025, including Server Core installations) and carries a CVSS 7.5 rating driven entirely by availability impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Remote code execution in Windows Remote Desktop Services (RDS) allows an authenticated network attacker to run arbitrary code by triggering a use-after-free (CWE-416) memory corruption condition. The flaw affects a broad range of currently-supported Windows client and server builds - Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2022/2025 (including Server Core). It was reported by Microsoft with a CVSS 8.8 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network vector combined with only low-privilege requirements makes it a strong patch priority.
Local privilege escalation in Microsoft Windows Sensor Data Service arises from a use-after-free (CWE-416) memory corruption flaw that an already-authenticated attacker can trigger to run code at higher privilege. It affects a broad range of client and server builds (Windows 10 1607 through Windows 11 26H1, and Windows Server 2016 through 2025). Reported by Microsoft with a patch available; no public exploit identified at time of analysis, and the CVSS:3.1 score is 7.0 (High).
Privilege elevation in Microsoft 365 Copilot for iOS lets a remote, unauthenticated attacker gain elevated access after a targeted user is lured into interacting with attacker-controlled content, per Microsoft's MSRC advisory. The flaw stems from improper access control (CWE-284) and carries a High CVSS 3.1 base score of 8.1 with high confidentiality and integrity impact but no availability impact. No public exploit has been identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available.
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) lets an authenticated low-privileged user corrupt kernel memory to gain SYSTEM-level control. The flaw is a use-after-free (CWE-416) affecting a broad range of Windows client and server builds from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019-2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Microsoft Windows Remote Desktop (RDP) component allows an unauthenticated attacker to run arbitrary code by triggering an integer overflow, but only when a victim is convinced to interact (per CVSS UI:R) - most consistent with a malicious RDP server coercing a connecting client. The flaw affects a broad range of supported Windows client and server releases from Windows Server 2012/Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS data was not provided.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library allows an authenticated attacker to gain SYSTEM-level privileges by triggering a type-confusion (CWE-843) condition. The flaw affects a broad range of supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Reported internally by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges with a physical attack.
Local code execution in Windows Media on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025 lets an attacker run arbitrary code by luring a user into opening a maliciously crafted media file. The CVSS 3.1 base score is 7.8 with full confidentiality, integrity, and availability impact but requiring user interaction, and there is no public exploit identified at time of analysis. Microsoft has released a patch via MSRC.
Elevation of privilege in Microsoft Windows Management Services lets a low-privileged local user corrupt memory through a use-after-free (CWE-416) and gain higher privileges on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A successful exploit yields high confidentiality, integrity, and availability impact, but the CVSS vector marks high attack complexity, reflecting the race-condition timing typically needed to win a use-after-free. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Improper access control in Windows Kernel allows an authorized attacker to bypass a security feature locally.
Local privilege escalation in the Windows Cloud Files Mini Filter Driver (cldflt.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free memory corruption condition. The flaw affects a broad range of Windows client and server releases (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025) and was reported by Microsoft. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Input Method Editor (IME) component shipped across Windows 10, Windows 11, and Windows Server 2016 through 2025 allows an authenticated, low-privileged user to corrupt heap memory and gain SYSTEM-level control. The flaw (CWE-122 heap-based buffer overflow) carries a scope-changing CVSS 3.1 score of 8.8, meaning successful exploitation escapes the caller's security boundary. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Microsoft's NAT Helper Components (ipnathlp.dll), the driver behind Internet Connection Sharing and NAT translation on Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. An authenticated attacker who already has low-privilege access can exploit a use-after-free memory corruption bug to run code at higher privilege (SYSTEM). No public exploit identified at time of analysis, and it is not listed in CISA KEV, but Microsoft has released a patch.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to elevate to SYSTEM by triggering an integer overflow (CWE-190) in a kernel code path. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and no EPSS or KEV data supplied.
Elevation of privilege in the Windows SMB implementation allows an authenticated network attacker to win a race condition and gain higher privileges on affected systems, spanning Windows 10, Windows 11, and Windows Server 2012 through 2025. The flaw is a concurrency defect (CWE-362) reported by Microsoft with a vendor patch already released; there is no public exploit identified at time of analysis. Note a data conflict: the description and CVSS impacts describe privilege elevation with full confidentiality/integrity/availability impact, while the intelligence tags also label it 'Information Disclosure' — the CVSS vector should be treated as authoritative.
Local privilege escalation in Microsoft Windows Installer (msiexec/MSI service) lets an already-authenticated low-privilege user elevate to SYSTEM by abusing an improper authorization check (CWE-285). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025, including Server Core installations. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, so risk is currently potential rather than confirmed in-the-wild exploitation.
Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Use of uninitialized resource in Windows RDP allows an unauthorized attacker to disclose information over a network.
Local privilege escalation in the Windows Bluetooth Service affects a broad range of Microsoft Windows client and server editions (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019 through 2025). A heap-based buffer overflow (CWE-122) lets an already-authenticated local attacker corrupt kernel/service memory to elevate from a low-privileged account to SYSTEM. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local code execution in Microsoft Windows' Resilient File System (ReFS) driver lets an attacker run arbitrary code by inducing a victim to mount or open a maliciously crafted ReFS volume. The flaw is a heap-based buffer overflow (CWE-122) in ReFS metadata parsing affecting Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025. CVSS is 7.8 (AV:L/UI:R); there is no public exploit identified at time of analysis and it is not in CISA KEV, so exploitation would require crafting a malicious volume and social-engineering the user to attach it.
Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack.
Local privilege escalation in the Windows Runtime (WinRT) affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2022/2025, where a race condition in shared-resource handling lets an already-authenticated local user win a timing window to gain higher privileges. Reported by Microsoft with a patch available; there is no public exploit identified at time of analysis and the CVSS base score is 7.8 (High). Note that Microsoft's tags label this as Information Disclosure while the description and CVSS impact metrics describe full privilege elevation - this discrepancy should be verified against the vendor advisory.
Privilege elevation in Microsoft SharePoint Server (Enterprise Server 2016 and Server 2019) allows an authenticated network attacker to abuse an improper authorization check to gain higher privileges within the SharePoint environment. The flaw is tagged as an authentication bypass and carries a CVSS 8.8, reflecting high impact to confidentiality, integrity, and availability from a low-privileged starting point. Microsoft has released a patch; there is no public exploit identified at time of analysis and no CISA KEV listing.
Information disclosure via uninitialized resource use in Windows Remote Desktop Protocol (RDP) exposes sensitive memory contents to authenticated remote attackers across a wide range of Microsoft Windows desktop and server editions. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms this is exploitable over the network by any low-privileged authenticated user with no complexity or interaction requirements, yielding high confidentiality impact. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low barrier to exploitation and the ubiquitous deployment of Windows RDP make this a meaningful patching priority.
Time-of-check time-of-use (toctou) race condition in Windows Subsystem for Linux allows an authorized attacker to perform tampering locally.
Local privilege escalation in Microsoft's Windows Subsystem for Linux (WSL2) allows a low-privileged authenticated user on the Windows host to elevate to higher privileges by triggering a buffer over-read (CWE-126). Microsoft (the reporting vendor) has released a fix via MSRC, and there is no public exploit identified at time of analysis. With a CVSS 3.1 base score of 7.8 and full high impact to confidentiality, integrity and availability, it is a meaningful local EoP but requires prior code-execution access on the machine.
Local privilege escalation in Microsoft Windows Routing and Remote Access Service (RRAS) allows an authenticated low-privileged attacker to elevate to SYSTEM by triggering a heap-based buffer overflow (CWE-122). The flaw affects a broad range of Windows client and server versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 R2 through Server 2025. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.
Local privilege escalation in the Windows Ancillary Function Driver for WinSock (AFD.sys) allows an authenticated low-privileged user to elevate to SYSTEM by triggering a use-after-free (CWE-416) in the kernel-mode driver. All actively serviced Windows client (10 1607 through 11 26H1) and Server (2012 through 2025) editions are affected, and Microsoft has released patches. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Windows Media Foundation allows an unauthenticated attacker to run arbitrary code by tricking a user into opening a maliciously crafted media file or stream. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available via the Microsoft Security Response Center.
Elevation of privilege in the Windows Hyper-V virtual network switch (VMSwitch) lets an authenticated attacker operating from a guest partition corrupt kernel memory via a use-after-free and gain higher privileges, with a scope change (S:C) indicating a guest-to-host escape. Rated CVSS 9.9 and affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025, this issue was reported by Microsoft and has a vendor patch available. No public exploit is identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.
Remote code execution in the Windows SMB Server network transport driver (srvnet.sys) lets an unauthenticated network attacker win a use-after-free race to run arbitrary code, affecting Windows 10, Windows 11, and Windows Server 2012 through 2025. Per its CVSS vector the flaw requires user interaction and high attack complexity, so exploitation is non-trivial rather than a trivial wormable hit. This was reported by Microsoft, a vendor patch is available, and there is no public exploit identified at time of analysis.
Local privilege escalation in the Windows File History Service lets an authenticated, low-privileged attacker corrupt a stack buffer (CWE-121) to run code with elevated (SYSTEM-level) privileges on affected Windows client and server releases. The flaw spans a broad range of supported editions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025, including Server Core installations. No public exploit was identified at time of analysis, and the CVE is not listed in CISA KEV.
Remote code execution in Microsoft Windows Media Foundation lets an unauthenticated attacker run arbitrary code in the victim's context by delivering a malicious media file or stream that the target opens or plays. The flaw affects the Media Foundation multimedia framework across supported Windows 10, Windows 11 (through 26H1), and Windows Server 2016-2025 builds, and carries CVSS 8.8. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CVSS profile of confidentiality, integrity, and availability all rated High marks this as a high-priority client-side RCE.
Remote code execution in Microsoft Windows Media Foundation lets an unauthenticated network attacker run arbitrary code on the victim's machine when the target opens or renders a maliciously crafted media file or stream. The flaw is a heap-based buffer overflow (CWE-122) affecting a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Server 2016 through Server 2025. No public exploit identified at time of analysis, but the low complexity and network vector make it a high-priority patch item; exploitation requires user interaction (UI:R).
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an unauthorized attacker to elevate privileges locally.
Local privilege escalation in the Windows Network File System (NFS) component allows an authenticated attacker to elevate to SYSTEM by triggering a heap-based buffer overflow (CWE-122). Reported by Microsoft and affecting a broad range of Windows 10, Windows 11, and Windows Server 2012-2025 releases, with a vendor patch available via MSRC. No public exploit identified at time of analysis, and no CISA KEV listing.
Use of uninitialized resource in Windows File Explorer allows an unauthorized attacker to disclose information locally.
Use of uninitialized resource in Microsoft Windows Codecs Library allows an unauthorized attacker to disclose information locally.
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Network File System allows an unauthorized attacker to execute code over a network.
Elevation of privilege in the Windows Network File System (NFS) component affects a broad range of Microsoft platforms - Windows 10 (1607 through 22H2), Windows 11 (24H2, 25H2, 26H1), and Windows Server 2012 through 2025 - where an authorized attacker can win a time-of-check/time-of-use (TOCTOU) race condition over the network to gain higher privileges. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but high-complexity flaw requiring low-level existing privileges, with full high impact to confidentiality, integrity and availability. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a Microsoft (MSRC) patch is available.
Privilege escalation in the Windows Remote Access Service (RRAS) Infrastructure allows an authenticated attacker to elevate privileges over the network by triggering an integer overflow (CWE-190) in affected code paths. The flaw affects a broad range of Windows 10, Windows 11, and Windows Server releases (2012 R2 through 2025), and Microsoft has released a patch. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network-reachable EoP profile with only low privileges required makes it a meaningful patch priority.
Privilege escalation via a heap-based buffer overflow in the Windows Network File System (NFS) role lets an authenticated, low-privileged network attacker send crafted requests to corrupt server heap memory and gain elevated privileges. Affected systems span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025 wherever the Server for NFS role is present. No public exploit was identified at time of analysis and the flaw is not in CISA KEV, but the 8.8 CVSS with a network-reachable, low-complexity, no-user-interaction profile makes it a meaningful patch priority on NFS hosts.
Local code execution in Microsoft Windows Terminal (shipped on Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2022/2025) arises from an integer overflow (CWE-190) that an unauthorized attacker can trigger, but only after luring a logged-on user into interacting with malicious content. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, so this is a defense-in-depth patch rather than an emergency, though the CVSS 7.8 reflects full confidentiality, integrity, and availability impact once triggered. Microsoft has released a patch via the MSRC update guide.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to elevate to SYSTEM by exploiting a use-after-free (CWE-416) memory corruption condition, spanning Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2016 through 2025. Reported by Microsoft with a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N), the flaw grants full confidentiality, integrity, and availability impact on the local system. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.
Local privilege escalation in the Microsoft Windows Kernel (CWE-416 use-after-free) lets an already-authenticated low-privilege user corrupt kernel memory and gain SYSTEM-level control across a broad range of Windows 10, Windows 11, and Windows Server 2016 through 2025 builds. Microsoft self-reported the flaw and has shipped a patch through the Update Guide; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 (AV:L/PR:L) it is a classic Patch-Tuesday local EoP suitable as a second-stage primitive after initial access.
Remote code execution in Microsoft Fabric Data Warehouse allows an authenticated attacker to run arbitrary code over the network by triggering a stack-based buffer overflow (CWE-121). The flaw carries a CVSS 8.8 rating with high impact to confidentiality, integrity, and availability, and requires only low-privilege access with no user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but a vendor patch is available via MSRC.
Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.
Authenticated remote code execution in Microsoft Windows Admin Center (CWE-77) lets an attacker with low-privilege access inject and run arbitrary commands over the network, yielding full confidentiality, integrity, and availability compromise (CVSS 8.8). Microsoft has released a patch; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Windows Admin Center allows an authenticated attacker to run arbitrary code over the network by exploiting a relative path traversal (CWE-23) flaw. Any user holding valid low-privilege credentials to the WAC gateway can leverage the traversal to break out of the intended file path and achieve full compromise (confidentiality, integrity, and availability impact all High). Microsoft has published a patch via MSRC; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Out-of-bounds read in Microsoft Office exposes sensitive memory contents to a local, unauthenticated attacker who can induce a user to open a malicious document. Affected products span the full current Office portfolio - Office 2016 through LTSC 2024 on both Windows and macOS - making the blast radius broad despite the local attack vector. No public exploit identified at time of analysis and SSVC classifies exploitation as none and not automatable, though the high confidentiality impact (C:H) and near-universal deployment of Office keep this a meaningful patching priority.
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
Information disclosure in Microsoft Office (Microsoft 365 Apps, Office 2016/2019, Office LTSC 2021/2024, and Office for Mac) arises from an out-of-bounds read (CWE-125) that lets an attacker who convinces a victim to open a crafted file read memory beyond an intended buffer boundary. Exploitation is local and requires user interaction, and there is no public exploit identified at time of analysis and no CISA KEV listing. Disclosed memory can leak sensitive data such as heap contents or pointer addresses useful for defeating ASLR in a follow-on exploit chain.
Local code execution in Microsoft Windows Media Foundation (CWE-122 heap-based buffer overflow) lets an unauthorized attacker run arbitrary code when a victim opens a maliciously crafted media file or content that the platform parses. It affects a broad range of Windows client and server builds from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Windows Server Network driver stems from a race condition (CWE-362) that lets an unauthorized attacker execute arbitrary code across a wide range of Microsoft Windows client and server builds, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with full confidentiality, integrity, and availability impact, and an 'Authentication Bypass' tag suggests the flaw can also subvert access controls. There is no public exploit identified at time of analysis and no CISA KEV listing, but the network-facing, pre-authentication nature makes it a high-priority patch.
Information disclosure in Microsoft Windows Schannel (the Secure Channel TLS/SSL provider) lets an authenticated, network-adjacent attacker read memory beyond an allocated buffer and leak sensitive data across a network connection. The flaw spans nearly the entire supported Windows family - Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025. Reported by Microsoft with a fix available; there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory corruption lets an already-authorized local user run code with elevated privileges. Microsoft rates it CVSS 7.0 and has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is non-trivial due to high attack complexity and requires the attacker to already hold low-level local privileges.
Exposure of sensitive information to an unauthorized actor in Windows Win32K allows an authorized attacker to disclose information locally.
Remote code execution in Microsoft Windows Remote Desktop (RDP) allows an unauthorized network attacker to run arbitrary code by triggering the use of an uninitialized resource (CWE-908). All currently supported Windows client and server releases are affected, from Windows 10 1607 and Windows Server 2012 through Windows 11 26H1 and Windows Server 2025. The CVSS 3.1 base score is 9.8 with a network, no-privileges, no-interaction vector; there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in the Windows MIDI Service Module affects Windows 11 versions 24H2, 25H2, and 26H1, where a use-after-free (CWE-416) memory-corruption flaw lets an already-authenticated local user elevate to higher privileges. Exploitation requires winning a race condition (high attack complexity), and Microsoft has released a fix; no public exploit identified at time of analysis. Rated CVSS 7.0 with full confidentiality, integrity, and availability impact once triggered.
Local privilege escalation in the Windows NTFS file system driver allows an authenticated low-privileged user to gain SYSTEM-level rights by triggering an integer overflow (CWE-190) during filesystem processing. It affects a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available from Microsoft.
Local privilege escalation in the Windows NTFS driver lets an already-authenticated attacker corrupt heap memory to run code at a higher privilege level (typically SYSTEM) on affected Windows 10, Windows 11, and Windows Server builds. Microsoft reported the issue and has shipped a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 7.8 (AV:L/PR:L) it is a valuable post-compromise pivot rather than an initial-access bug.
Local privilege escalation in the Win32k GRFX subsystem across Windows 10, Windows 11, and Windows Server 2012 through 2025 lets an authenticated low-privileged local attacker elevate to SYSTEM by triggering an out-of-bounds read (CWE-125). The flaw was reported internally by Microsoft, a vendor patch is available via MSRC, and there is no public exploit identified at time of analysis. CVSS is 7.8 (High), reflecting a local vector with low complexity and low privileges required.
Local privilege elevation in the Windows WebView component affects a broad range of currently-supported Windows client and server builds (Windows 10 1809 through Windows 11 26H1, and Windows Server 2019/2022/2025). By triggering a use-after-free (CWE-416) memory-corruption condition, an already-authenticated low-privilege attacker can execute code in a higher-privilege context, yielding full confidentiality, integrity, and availability impact on the local system. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Null pointer dereference in Windows SMB Server allows an authorized attacker to deny service over a network.
Local privilege escalation in Microsoft XML Core Services (MSXML) lets a low-privileged, authorized attacker on a Windows host reclaim a freed object (use-after-free, CWE-416) to run code at elevated privilege. It affects a broad Windows footprint spanning Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025, including Server Core installations. Microsoft reported the flaw, a patch is available, and there is no public exploit identified at time of analysis; CISA SSVC currently rates exploitation as none.
Remote code execution in the Microsoft Windows DHCP Server role allows an unauthenticated network attacker to run arbitrary code by triggering a heap-based buffer overflow (CWE-122) in the service's packet handling. The flaw carries a CVSS 9.8 with a fully remote, no-interaction, no-privilege vector and affects Windows Server 2012 through 2025 (plus the Windows 10 1607/1809 code base). At time of analysis there is no public exploit identified and the issue is not listed in CISA KEV, but the unauthenticated network-facing nature of the DHCP service makes it a high-priority patch.
Improper access control in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
Local code execution in Microsoft Office Excel (across Microsoft 365 Apps for Enterprise, Office LTSC 2021/2024, and their macOS counterparts) arises from a heap-based buffer overflow (CWE-122) triggered when a victim opens a maliciously crafted spreadsheet. An unauthorized attacker can achieve arbitrary code execution in the context of the current user, gaining high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but a vendor patch is available from Microsoft.