Skip to main content

Microsoft

17290 CVEs vendor

Monthly

CVE-2026-48831 HIGH This Week

Wine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandboxes, because MIME handlers are not intended for use by code interpreters and loaders. NOTE: some parties feel that this is not a bug to be addressed in Wine, because there is no known solution that avoids a severe loss of usability (Wine could be a binfmt-misc handler, but binfmt-misc does not exist on all platforms supported by Wine).

Microsoft Information Disclosure Suse
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-23663 HIGH PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft Entra ID (formerly Azure AD), specifically affecting Microsoft Global Secure Access (GSA), allows remote unauthenticated attackers to gain elevated privileges over the network. The CVSS 7.5 rating reflects high confidentiality impact with no required authentication or user interaction, though no public exploit has been identified at time of analysis. The vector points to a flaw in how identity or access tokens are evaluated, which is particularly sensitive given Entra ID's role as a primary IAM backbone for Microsoft 365 and Azure tenants.

Microsoft Privilege Escalation
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-42901 CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain elevated privileges across tenant boundaries (scope-changed). The CVSS 10.0 rating reflects maximum impact across confidentiality, integrity, and availability with no authentication or user interaction required, though no public exploit has been identified at time of analysis and EPSS data is not provided.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-41104 CRITICAL PATCH NO ACTION HOSTED Monitor

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft malicious serialized payloads that the service processes, resulting in information disclosure across a trust boundary. The maximum CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, though no public exploit identified at time of analysis and EPSS data was not provided.

Microsoft Deserialization
NVD VulDB
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-45659 HIGH POC KEV PATCH THREAT CISA NEWS Exploit Unlikely Act Now

Authenticated remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) stems from unsafe deserialization of untrusted data (CWE-502), enabling an authorized attacker to run arbitrary code on the server over the network. CVSS 8.8 with low privileges required and no user interaction makes this attractive to post-authentication adversaries, though no public exploit identified at time of analysis and CVSS temporal data marks exploit code maturity as Unproven.

Microsoft Deserialization Microsoft Sharepoint Enterprise Server 2016 Microsoft Sharepoint Server 2019 Microsoft Sharepoint Server Subscription Edition
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.5%
Threat
4.8
CVE-2026-33843 CRITICAL PATCH NO ACTION HOSTED Monitor

Authentication bypass in Microsoft Azure Active Directory B2C (now part of Microsoft Entra) allows remote unauthenticated attackers to elevate privileges by reaching protected functionality through an alternate code path. The CVSS 9.1 vector (AV:N/AC:L/PR:N/UI:N) reflects network-reachable exploitation with no privileges and no user interaction, yielding high confidentiality and integrity impact against tenants relying on Azure AD B2C for identity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the unauthenticated-network profile and Microsoft self-reporting make this a high-priority advisory for any tenant using B2C.

Microsoft Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-26147 HIGH PATCH NO ACTION HOSTED Monitor

Information disclosure in Microsoft Azure Compute Gallery permits an authenticated remote attacker to read sensitive data across tenant or resource boundaries due to improper input validation (CWE-20). The scope-changed CVSS 7.7 rating reflects cross-boundary impact, but the exploit maturity is currently unproven (E:U) and no public exploit identified at time of analysis. Microsoft has published an official fix via MSRC.

Microsoft Information Disclosure
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-41090 CRITICAL PATCH NO ACTION HOSTED Monitor

Command injection in Microsoft 365 Copilot for iOS allows remote unauthenticated attackers to tamper with system integrity over the network when a user is convinced to interact with malicious content. The flaw carries a critical CVSS score of 9.3 with a scope change indicating impact beyond the vulnerable component, though no public exploit identified at time of analysis. An official vendor patch is available via MSRC.

Microsoft Command Injection
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-47280 CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authentication and gain elevated privileges across the cloud control plane. The flaw carries a maximum CVSS score of 10.0 due to a scope change combined with full confidentiality, integrity, and availability impact, and although Microsoft has released a fix there is no public exploit identified at time of analysis. Given ARM is the central management layer for nearly all Azure resources, successful exploitation could have broad tenant-wide consequences.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-40411 CRITICAL PATCH NO ACTION HOSTED Monitor

Remote code execution in Microsoft Azure Virtual Network Gateway allows an authenticated attacker with low privileges to execute arbitrary code across a network boundary due to improper input validation. The CVSS 9.9 score reflects scope-changed impact (S:C) where exploitation can compromise resources beyond the vulnerable component itself, affecting confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the high score and managed-service nature warrant priority attention.

Microsoft Information Disclosure
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-35430 HIGH PATCH This Week

Privilege escalation in Microsoft Azure Privileged Identity Management (PIM) allows an authenticated attacker to bypass authorization checks by manipulating a user-controlled key, escalating privileges over the network. The flaw stems from an Insecure Direct Object Reference (IDOR) pattern (CWE-639) where the service trusts a client-supplied identifier when making authorization decisions. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Microsoft Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-23652 CRITICAL PATCH NO ACTION Monitor

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-system commands against the platform, with a maximum CVSS score of 10.0 reflecting changed scope and full confidentiality, integrity, and availability impact. The flaw stems from improper neutralization of special elements in command construction (CWE-77), and while no public exploit has been identified at time of analysis, Microsoft has released a patch via MSRC. Given Power Pages is a multi-tenant SaaS offering, a successful exploit could pivot beyond the initial site boundary.

Microsoft Command Injection
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-40412 CRITICAL PATCH NO ACTION Monitor

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous file types and execute arbitrary code, earning a maximum CVSS 10.0 score with scope change (S:C). Per Microsoft's MSRC advisory, a vendor patch is available, though no public exploit has been identified at time of analysis and the EPSS score was not provided in the source data.

Microsoft File Upload
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-8673 MEDIUM PATCH This Month

Unprotected credential transport in syslink software AG Avantra before version 25.3.0 exposes authentication material to network-layer interception on both Linux and Windows deployments. The vulnerability, classified under CWE-523, allows a suitably positioned network adversary to capture credentials in transit, with the CVSS vector indicating high confidentiality and integrity impact upon successful exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the high attack complexity and high privilege prerequisite meaningfully constrain the realistic attacker population.

Microsoft Information Disclosure
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-8672 MEDIUM PATCH This Month

Default credential exposure in syslink software AG Avantra (all versions before 25.3.0) on Linux and Windows allows a local attacker with high-privilege access to authenticate using known default passwords, achieving high confidentiality impact against monitoring data and infrastructure configurations managed by the platform. Reported by NCSC.ch and addressed in version 25.3.0, this CWE-1393 flaw represents an insider threat or post-compromise lateral movement risk for organizations running Avantra in SAP and IT operations environments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Microsoft Information Disclosure
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-8671 HIGH PATCH This Week

Sensitive information disclosure in syslink software AG Avantra (versions before 25.3.0) on Linux and Windows allows an attacker with high privileges and adjacent network access to harvest data written into log files, with a scope-changed impact crossing trust boundaries. The flaw is tracked as CWE-532 and rated CVSS 7.5, but no public exploit identified at time of analysis and it is not listed in CISA KEV.

Microsoft Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8670 CRITICAL PATCH Act Now

Session replay weakness in syslink software AG's Avantra monitoring platform (versions before 25.3.1) on Linux and Windows allows remote attackers to reuse captured session identifiers because sessions are not properly expired. With CVSS 9.6 and scope change, an attacker who obtains a valid session ID can impersonate users and pivot into systems Avantra manages; no public exploit identified at time of analysis.

Microsoft Information Disclosure
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-46556 PyPI MEDIUM GHSA This Month

Blind Server-Side Request Forgery in FlaskBB's avatar URL handling allows any authenticated user to force the server to issue arbitrary HTTP GET requests to internal network endpoints, including cloud instance metadata services (AWS IMDSv1 at 169.254.169.254, GCP, Azure equivalents). All versions up to and including 2.2.0 of the pip-distributed FlaskBB package are affected, with no vendor-released patch available at time of analysis. A proof-of-concept is publicly available via the GitHub Security Advisory, and three distinct exploitation channels have been demonstrated: direct credential exfiltration from cloud metadata services, internal port scanning via differential error responses, and triggering of internal APIs (Elasticsearch, etcd, Consul, CI/CD webhooks).

Microsoft Elastic Python SSRF
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46561 PyPI MEDIUM PATCH GHSA This Month

Redirect-based SSRF bypass in pyload-ng's parse_urls API allows authenticated attackers with ADD permission to probe internal network services and cloud metadata endpoints by chaining an open redirect through an attacker-controlled host. The prior SSRF fix (commit 33c55da, GHSA-7gvf-3w72-p2pg) correctly hardened HTTPChunk but left HTTPRequest used by RequestFactory.get_url() with allow_private_ip=True, rendering the is_global_host() check on the initial URL ineffective against 302 redirects to private IP space. A public proof-of-concept exploit exists demonstrating exfiltration of AWS IMDSv1 metadata; no public exploit identified at time of analysis for active in-the-wild exploitation, and CVE-2026-46561 is not listed in the CISA KEV catalog.

Microsoft Python SSRF
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-46481 Maven HIGH PATCH GHSA This Week

Sensitive credential disclosure in OpenMetadata 1.12.1 allows any authenticated non-admin SSO user to retrieve cleartext database passwords and a long-lived ingestion-bot JWT by triggering a TEST_CONNECTION workflow via POST /api/v1/automations/workflows. The HTTP 201 response unexpectedly echoes the stored Oracle/database secret and the bot's bearer token, which can then be replayed against service APIs with bot-level privileges. A detailed proof-of-concept is published in the GitHub Security Advisory (GHSA-9vmh-whc4-7phg), so publicly available exploit code exists; no public exploit identified at time of analysis in CISA KEV.

Microsoft Information Disclosure Apache Oracle
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-22880 MEDIUM This Month

SSO authentication callback origin validation failure in Mattermost Mobile Apps enables cross-server credential theft across multiple release branches (≤11.1.3, ≤11.3.2, ≤11.0.4, ≤10.11.11, ≤2.0.37). An attacker operating a malicious Mattermost server can relay the SSO authorization code exchange through a victim's mobile application to authenticate against a separate, legitimate Mattermost server - stealing valid session credentials without the victim's awareness. No public exploit has been identified at time of analysis, and CVSS AC:H constrains this to targeted, engineered attacks rather than opportunistic mass exploitation.

Microsoft CSRF Mattermost
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-9118 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.

Microsoft Google RCE Denial Of Service Use After Free +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9112 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.

Microsoft Google RCE Denial Of Service Use After Free +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9110 MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 148.0.7778.179) enables a remote attacker who has already achieved renderer process compromise to deceive end users through a crafted HTML page, exploiting CWE-451 (UI Misrepresentation of Critical Information). Affected users on Windows running any Chrome version below 148.0.7778.179 are exposed to potential phishing or credential-harvesting scenarios dressed up as legitimate browser UI. No public exploit code or CISA KEV listing exists at time of analysis, but the Chromium team assigned a Critical internal severity - a meaningful contrast with the NVD CVSS score of 4.2 - suggesting the spoofing potential carries downstream risk beyond what the base score reflects.

Microsoft Information Disclosure Google Suse Red Hat +1
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-26028 npm MEDIUM PATCH GHSA This Month

HTML sanitizer bypass in CryptPad's Diffmarked.js allows remote unauthenticated attackers to inject arbitrary HTML into collaborative documents, completely defeating the platform's bounce sandboxing mechanism. All CryptPad versions prior to 2026.2.0 are affected; the CVSS scope change (S:C) reflects that exploitation crosses sandbox boundaries, enabling link injection and delivery of malicious interactive content to any user who opens a crafted document. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though the attack vector is network-accessible with no authentication required.

Microsoft Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-46431 Go MEDIUM PATCH GHSA This Month

Cross-origin read access to Algernon's SSE auto-refresh event server (versions ≤ 1.17.6) allows any web page visited by a developer to silently subscribe to the live file-change stream via a browser-native EventSource. The root cause is a hardcoded wildcard `Access-Control-Allow-Origin: *` response header in the dedicated SSE port activated by the `-a` flag, with no origin inspection or allow-list logic present in the vendored recwatch handler. No public exploit identified at time of analysis per KEV absence, though a complete working proof-of-concept - including exploit HTML and curl verification transcript - is published in GHSA-hw27-4v2q-5qff.

Information Disclosure Cors Misconfiguration Microsoft Apple Canonical
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46430 Go MEDIUM PATCH GHSA This Month

Algernon's auto-refresh SSE event server unintentionally exposes developer file-change streams to unauthenticated LAN peers on Linux and macOS due to a platform-dependent bind address default that was never intended to reach adjacent hosts. On non-Windows platforms, the SSE listener resolves to 0.0.0.0:5553 (all interfaces), while Windows correctly binds to 127.0.0.1:5553 - a silent asymmetry introduced in engine/flags.go that leaves developers on the most common Algernon platforms exposed whenever they work on shared networks. A publicly available proof-of-concept demonstrates that any host on the same subnet can enumerate project filenames and edit timing with a single unauthenticated curl command, with no developer interaction required; no public exploit identified at time of analysis rises to confirmed active exploitation (not in CISA KEV).

Microsoft Information Disclosure Apple
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42834 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft's Windows Admin Center (Azure Portal edition) allows an authenticated low-privileged attacker to gain higher privileges by abusing symbolic link resolution before file access. The flaw, reported by Microsoft itself, carries a CVSS 7.8 with no public exploit identified at time of analysis, and a vendor patch is available via the Microsoft Security Response Center advisory.

Microsoft Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45584 HIGH PATCH This Week

Remote code execution in Microsoft Defender (Microsoft Malware Protection Engine) enables unauthenticated network-based attackers to corrupt heap memory and run arbitrary code on hosts running the vulnerable scanning engine. The flaw scores CVSS 8.1 with high attack complexity, affects systems by default since Defender is shipped with Windows, and at time of analysis has no public exploit identified, though Microsoft has released a vendor patch via MSRC.

Microsoft Buffer Overflow Heap Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41091 HIGH POC KEV PATCH THREAT NEWS Exploited Act Now

Local privilege escalation in Microsoft Defender (Malware Protection Engine) enables an authenticated low-privileged attacker to elevate to SYSTEM by abusing improper link resolution (CWE-59) before file access. The flaw scores CVSS 7.8 with high impact to confidentiality, integrity, and availability, and no public exploit is identified at time of analysis. Microsoft has released a patch via MSRC, and there is no current CISA KEV listing or EPSS signal indicating active mass exploitation.

Microsoft Information Disclosure
NVD VulDB GitHub
CVSS 3.1
7.8
EPSS
12.1%
Threat
4.9
CVE-2026-45498 MEDIUM POC KEV PATCH THREAT NEWS Exploited Act Now

Denial of service in Microsoft Defender Antimalware Platform allows a local, unprivileged attacker to partially degrade availability with low attack complexity and no user interaction required. The CVSS 4.0 score reflects limited impact - confidentiality and integrity are unaffected, and availability impact is rated Low. Vendor patch is available via Microsoft Security Response Center; no public exploit identified at time of analysis and no CISA KEV listing.

Microsoft Denial Of Service
NVD VulDB
CVSS 3.1
4.0
EPSS
2.3%
CVE-2026-45585 MEDIUM Exploit Likely This Month

Windows security feature bypass, publicly dubbed 'YellowKey', exposes systems to full confidentiality, integrity, and availability compromise via command injection (CWE-77) requiring only physical access - no credentials or user interaction needed. A proof-of-concept was released publicly prior to patch availability, violating coordinated disclosure norms, which lowers the attacker skill bar significantly. No vendor-released patch exists at time of analysis; Microsoft has confirmed the issue and is preparing a security update.

Microsoft Command Injection
NVD VulDB GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-46354 Go CRITICAL PATCH GHSA Act Now

Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published.

Microsoft Jwt Attack Hashicorp RCE Gitlab
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46338 PyPI MEDIUM PATCH GHSA This Month

Path traversal in pymdownx.snippets versions 10.0.1 through 10.21.2 allows unauthenticated remote attackers to read arbitrary files from sibling directories outside the configured base_path, bypassing the restrict_base_path protection intended by CVE-2023-32309. The bypass exploits a string-prefix comparison introduced in PR #2039 that lacks directory-boundary enforcement, enabling a crafted snippet directive like '--8<-- "../docs_secret/leak.txt"' to escape the configured base directory when sibling paths share the same string prefix. Publicly available exploit code (proof-of-concept) exists in the GitHub Security Advisory; the vulnerability is not confirmed actively exploited in the CISA KEV catalog at time of analysis.

Microsoft Path Traversal Python
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45796 Go MEDIUM PATCH GHSA This Month

Unauthenticated semi-blind Server-Side Request Forgery in Coder's Azure instance identity endpoint allows any remote attacker to force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts, enabling internal network reconnaissance, cloud metadata service probing (e.g., 169.254.169.254), and error-based information disclosure of network topology. The vulnerability exists across all supported Coder release lines prior to v2.29.13/v2.30.8/v2.31.12/v2.32.2/v2.33.3/v2.24.5 (ESR), and has been patched in GitHub PR #25274. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Microsoft Information Disclosure SSRF
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-45571 Go MEDIUM PATCH GHSA This Month

Path traversal in go-git allows crafted repository payloads to write files outside the intended checkout directory, including into the repository's .git directory and parent paths. The vulnerability stems from go-git failing to implement path validation checks that upstream Git adopted years ago, creating a drift-induced security gap across all supported platforms - with additional platform-specific attack vectors affecting Windows and macOS users distinctly. CVSS scores this at 5.4 medium with no public exploit identified at time of analysis and no CISA KEV listing, but the real-world risk is elevated in automated pipelines or developer tooling that processes untrusted repositories without human review.

Microsoft Path Traversal Apple
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45721 Go CRITICAL PATCH GHSA Act Now

Pre-authenticated remote code execution in Algernon web server (≤ 1.17.6) allows attackers who can place a handler.lua file anywhere in a parent directory of the server root to execute arbitrary Lua - including shell commands via run3() and os.execute - in the server process on the next HTTP request. The flaw stems from DirPage walking up to 100 ancestor directories past the configured server root searching for handler.lua, and the permission middleware does not gate this lookup, so an anonymous GET / suffices to trigger execution. Publicly available exploit code exists (the reporter published three working PoC variants and a live verification against 1.17.6).

Microsoft Redis RCE Canonical
NVD GitHub
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-45728 Go HIGH PATCH GHSA This Week

Information disclosure in Algernon web server versions 1.17.6 and earlier allows unauthenticated remote attackers to retrieve full server-side source code, including embedded secrets, by triggering runtime errors in Lua, Pongo2, Amber, or HTML template handlers. When Algernon is started with a single file path (e.g. `algernon page.po2`), single-file mode unconditionally forces debug mode on, activating the PrettyError renderer which returns absolute file paths and complete file contents in HTTP 200 responses. Crucially, the `--prod` hardening flag does not block this behavior for non-`.lua` extensions, and publicly available exploit code exists in the GHSA advisory.

Microsoft Information Disclosure Python
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34883 MEDIUM This Month

An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate privileges to Administrator. During installation, the software writes the file CCFLFamily_07Feb11.edr to C:\ProgramData\Portrait Displays\CW\data\i1D3\ while running with elevated privileges. Because the installer does not properly validate symbolic links or reparse points at the destination path, an attacker can create a malicious link that redirects the write operation to an arbitrary system location, enabling arbitrary file creation or overwrite with elevated privileges.

Microsoft Dell Privilege Escalation
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-47092 HIGH PATCH NEWS This Week

Local privilege code execution in jarrodwatts/claude-hud through version 0.0.12 on Windows allows authenticated local users to run arbitrary executables by setting the COMSPEC environment variable before the tool's version check, where execFile() launches whatever binary COMSPEC points to with cmd.exe-style arguments. The flaw is tracked as CWE-427 (Uncontrolled Search Path Element) and was reported by VulnCheck; no public exploit identified at time of analysis, but the upstream commit 234d9aa makes the fix mechanics straightforward to reverse-engineer.

RCE Microsoft Command Injection Claude Hud
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-42822 CRITICAL PATCH Exploit Likely Act Now

Privilege elevation in Microsoft Azure Local Disconnected Operations allows unauthenticated network-based attackers to gain elevated rights via an improper authentication weakness (CWE-287). The flaw carries a maximum CVSS 10.0 score with scope change, and Microsoft has issued a patched build (Azure Local 2604.2.25645). No public exploit identified at time of analysis, but the trivial attack profile (AV:N/AC:L/PR:N/UI:N) makes this a top-priority fix for affected hybrid-cloud deployments.

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-45495 HIGH PATCH Exploit Likely This Week

Remote code execution in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows attackers to execute arbitrary code on victim systems when a user is lured to a malicious webpage. The vulnerability stems from improper input validation (CWE-20) and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

RCE Google Microsoft
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-45494 MEDIUM PATCH Exploit Likely This Month

Cross-site scripting (XSS)-based spoofing in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows remote unauthenticated attackers to inject and execute scripts within the browser context, manipulating rendered content or UI trust indicators to deceive users. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms low-complexity, network-reachable exploitation requiring only that a victim visit a malicious page. Impact is constrained to limited confidentiality and integrity loss (C:L/I:L/A:N), consistent with spoofing and credential-phishing scenarios rather than full system compromise. No public exploit identified at time of analysis and no CISA KEV listing.

Google Microsoft XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45492 MEDIUM PATCH Exploit Likely This Month

Security feature bypass in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 enables remote attackers to circumvent browser security controls through improper input validation (CWE-20), resulting in limited confidentiality and integrity compromise. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation is network-based, requires no attacker privileges, but demands user interaction - consistent with a browser-based attack requiring a victim to engage with malicious content. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Google Microsoft
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-41119 MEDIUM PATCH This Month

Improper SSL/TLS certificate validation in Dell Live Optics Windows and Personal Edition collectors allows remote attackers to intercept and modify data transmitted by the collector. The vulnerability requires network positioning (man-in-the-middle) and user interaction, making exploitation moderately complex but enabling complete compromise of data confidentiality and integrity for collector communications. Dell has released patches in version 27.1.10.1 to address the certificate validation flaw.

Information Disclosure Dell Microsoft
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-6334 Go LOW PATCH Monitor

OAuth authorization code interception in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated OAuth clients to redeem authorization codes issued to different clients. An attacker controlling a malicious OAuth application can intercept and exchange authorization codes meant for legitimate applications, potentially gaining unauthorized access to user data or sessions. CVSS score of 3.1 reflects high attack complexity and required privileges, with EPSS data not provided. Vendor patch released per Mattermost advisory MMSA-2026-00570.

Mattermost Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2020-37247 HIGH POC This Week

Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation
NVD Exploit-DB VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-46359 PHP HIGH PATCH GHSA This Week

SQL injection in phpMyFAQ prior to 4.1.2 allows attackers authenticating through Azure AD/Entra ID OAuth to execute arbitrary database queries by embedding SQL metacharacters in their identity provider display name or JWT claims. The CurrentUser::setTokenData() method interpolates OAuth token fields into an UPDATE statement via sprintf without calling the database escape routine, while sibling methods in the same file correctly escape input. Publicly available exploit code exists per VulnCheck and the GHSA advisory, though EPSS is low (0.03%, 9th percentile) and the issue is not in CISA KEV.

Microsoft SQLi
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-45715 npm HIGH PATCH GHSA This Week

Budibase's REST datasource integration before version 3.38.1 bypasses IP blacklist security controls through HTTP redirect following. Authenticated Builder-level users can exploit this to access cloud metadata services and internal databases by redirecting requests through attacker-controlled servers, potentially stealing AWS/GCP/Azure credentials. This vulnerability class was previously fixed in automation steps but the REST integration was overlooked, creating an inconsistent security posture.

Redis Python SSRF Microsoft
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-45548 npm HIGH PATCH GHSA This Week

Server-Side Request Forgery (SSRF) in Budibase's AI Extract File automation step allows authenticated users with builder permissions to bypass IP blacklist protections and access internal resources. The vulnerability exists because the processUrlFile function uses fetch() directly without the fetchWithBlacklist() validation that protects all other automation steps, enabling attacks on cloud metadata endpoints (169.254.169.254), internal APIs, and private networks. Fixed in version 3.34.8.

SSRF Microsoft
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-46383 PyPI MEDIUM POC PATCH GHSA This Month

Archive extraction boundary failure in Microsoft APM's legacy-bundle probe allows local attackers to overwrite arbitrary files on Windows systems running Python 3.10 or 3.11. When users run 'apm install' on a malicious .tar.gz file, untrusted tar members bypass path validation, enabling absolute path writes (e.g., D:/...) that compromise system integrity. Fixed in version 0.13.0. No active exploitation confirmed at time of analysis, but the local attack vector with user interaction required (CVSS AV:L/UI:R) limits real-world risk to social engineering scenarios targeting AI agent developers on Windows platforms.

Path Traversal Python Microsoft
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-45539 PyPI HIGH PATCH GHSA This Week

Symbolic link following vulnerability in Microsoft APM dependency manager versions 0.5.4 to 0.12.4 allows remote attackers to read arbitrary files from the victim's system through malicious dependencies. The vulnerability occurs when APM processes symlinks in remote dependencies, following them to read local files and potentially exposing sensitive data that gets staged in git repositories. No public exploit identified at time of analysis.

Information Disclosure Microsoft
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-8398 CRITICAL POC KEV PATCH THREAT Act Now

Supply chain compromise of DAEMON Tools Lite for Windows delivered trojanized installers through the legitimate vendor website daemon-tools.cc from April 8 to May 5, 2026. Attackers compromised AVB Disc Soft's build infrastructure and injected malicious code into three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), all signed with the vendor's legitimate code-signing certificate. This allowed remote attackers to achieve arbitrary code execution on systems installing affected versions (12.5.0.2421 through 12.5.0.2434) with no user interaction required beyond normal installation. The legitimate digital signature bypassed security controls that rely on code-signing verification, making detection extremely difficult during the compromise window.

Authentication Bypass Microsoft
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
Threat
4.9
CVE-2026-7373 HIGH This Week

Local privilege escalation in Rapid7 Metasploit Pro allows unprivileged Windows users to achieve SYSTEM-level execution via OpenSSL configuration file hijacking. The metasploitPostgreSQL service loads openssl.cnf from a non-existent directory writable by standard users, enabling arbitrary command execution with SYSTEM privileges. Rated CVSS 8.5 (High) with proof-of-concept exploitation status (E:P). EPSS data not yet available. Not currently listed in CISA KEV catalog, suggesting vendor-disclosed rather than observed in-the-wild exploitation at time of analysis.

Privilege Escalation Microsoft PostgreSQL OpenSSL
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-45369 PyPI HIGH POC PATCH GHSA This Week

Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl.

Python Microsoft Command Injection
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-45310 LIB HIGH PATCH GHSA This Week

HTTP redirect bypass in DeepSeek TUI's fetch_url tool allows Server-Side Request Forgery (SSRF) against cloud metadata endpoints and internal services. The tool validates only the initial URL against restricted IP blocklists but automatically follows up to 5 HTTP redirects without re-validation, enabling attackers to exfiltrate AWS/GCP/Azure IAM credentials and instance metadata via prompt injection attacks. Vendor-released patch available in version 0.8.22. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in public advisory demonstrating successful bypass of SSRF protections.

SSRF Microsoft
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-45667 PyPI MEDIUM PATCH GHSA This Month

Unauthenticated attackers can invoke the GET `/api/v1/memories/ef` endpoint in Open WebUI versions ≤0.7.2 to trigger arbitrary embedding generation without authentication, enabling cost-based attacks against paid embedding providers (OpenAI, Azure) and denial-of-service via resource exhaustion. The endpoint executes `request.app.state.EMBEDDING_FUNCTION()` without any authentication check, allowing unlimited free API calls to downstream embedding services. Vendor-released patch available in v0.8.0 (February 2026) that removes the vulnerable endpoint entirely.

Authentication Bypass Microsoft
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45400 PyPI HIGH PATCH GHSA This Week

URL parser mismatch in Open WebUI allows authenticated users to bypass SSRF protections and access internal network resources. The validate_url function uses Python's urlparse library to extract hostnames for validation, while the requests library handles actual HTTP requests. These libraries disagree on parsing URLs containing backslash characters (e.g., http://127.0.0.1:6666\@1.1.1.1), allowing attackers to craft URLs that pass validation as external addresses but resolve to internal hosts. Exploitation requires low-privilege authentication but no user interaction, enabling access to cloud metadata endpoints and internal services. Fixed in version 0.9.5 per GitHub advisory GHSA-8w7q-q5jp-jvgx.

Google SSRF Microsoft Python
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-45397 PyPI MEDIUM POC PATCH GHSA This Month

Open WebUI's GET /api/v1/retrieval/ endpoint discloses RAG pipeline configuration including embedding models, chunking parameters, and RAG templates to unauthenticated attackers with a single HTTP request. The vulnerability affects v0.9.2 and earlier, where this endpoint lacks authentication guards present on all adjacent endpoints, enabling reconnaissance for RAG poisoning attacks and infrastructure fingerprinting without requiring credentials, authentication tokens, or user interaction.

Authentication Bypass Python Microsoft Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45395 npm HIGH PATCH GHSA This Week

Privilege escalation in Open WebUI allows authenticated users with 'write' access grants on tools to execute arbitrary server-side Python code without the required workspace.tools permission. The tool update endpoint (POST /api/v1/tools/id/{id}/update) fails to enforce the workspace.tools authorization check that gates code execution, allowing users explicitly denied code execution capabilities to bypass this security boundary. This breaks Open WebUI's documented trust model where workspace.tools permission is intentionally disabled by default and 'equivalent to giving them shell access to the server.' Exploitation achieves root code execution (PID 1) in default Docker deployments, enabling extraction of secrets (WEBUI_SECRET_KEY, API keys), database access, and filesystem read/write. Confirmed by GitHub security advisory GHSA-p4fx-23fq-jfg6. No public exploit or KEV listing at time of analysis, but detailed proof-of-concept with Burp Collaborator confirmation exists in the advisory.

Microsoft Python RCE Privilege Escalation Docker
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-45318 PyPI MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in Open WebUI versions up to 0.9.2 allows authenticated users to upload malicious Office files (Excel, DOCX, PPT) that execute arbitrary JavaScript in the browsers of any user previewing the file. The vulnerability stems from rendering user-supplied HTML from file-preview components using Svelte's `{@html}` directive without DOMPurify sanitization, despite DOMPurify being available and correctly applied in 39% of the codebase's other rendering locations. This is a regression of a previously patched vulnerability (GHSA-jwf8-pv5p-vhmc) that was fixed in v0.8.0 but reintroduced after that release.

XSS Microsoft File Upload
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-8574 HIGH PATCH This Week

Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Denial Of Service Microsoft Use After Free Memory Corruption Google +3
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8573 HIGH PATCH This Week

Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

Microsoft Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8567 MEDIUM PATCH This Month

Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Medium)

Microsoft Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8563 MEDIUM PATCH This Month

Navigation restrictions can be bypassed in Google Chrome for Windows versions prior to 148.0.7778.168 when attackers craft malicious HTML pages that exploit insufficient sandbox policy enforcement in iframe elements. User interaction (opening/visiting the crafted page) is required for exploitation. Google released a patched version addressing this medium-severity flaw. With EPSS exploitation probability at 0.02% (4th percentile) and no KEV listing, this represents a moderate-priority issue primarily affecting organizations running outdated Chrome versions on Windows systems.

Google Authentication Bypass Microsoft Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8559 MEDIUM PATCH This Month

Integer overflow in Internationalization in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Microsoft Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8556 LOW PATCH Monitor

Cross-origin data leakage in Google Chrome on Windows via ANGLE graphics library allows renderer-compromised attackers to steal sensitive data from other origins through specially crafted web pages. Affects Chrome versions prior to 148.0.7778.168 on Windows platforms. EPSS probability of 0.03% (10th percentile) indicates low observed exploitation likelihood, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patch released in Chrome 148.0.7778.168 stable channel update. Attack requires successful renderer process compromise as prerequisite, combined with user interaction, creating a chained exploitation scenario rather than standalone vulnerability.

Google Authentication Bypass Microsoft Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-8555 HIGH PATCH This Week

Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Denial Of Service Microsoft Use After Free Memory Corruption RCE +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-8554 LOW PATCH Monitor

Out-of-bounds memory write in Google Chrome's ANGLE graphics library (Windows only) enables attackers who have already compromised the renderer process to corrupt memory via specially crafted HTML pages. Chrome 148.0.7778.168 patches this type confusion vulnerability. Despite high Chromium severity rating, CVSS 3.1 scores only 3.1 due to prerequisite renderer compromise, high attack complexity, and required user interaction. EPSS 0.03% (10th percentile) and SSVC indicating no known exploitation suggest limited real-world risk at time of analysis.

Google Microsoft Information Disclosure Memory Corruption Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-8547 HIGH PATCH This Week

Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Privilege Escalation Microsoft Google Red Hat +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8546 MEDIUM PATCH This Month

Out of bounds read in GPU in Google Chrome on Mac and Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Google Microsoft Information Disclosure Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8542 HIGH PATCH This Week

Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Denial Of Service Microsoft Use After Free Memory Corruption Google +3
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8531 HIGH PATCH This Week

Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Heap Overflow Google Microsoft Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-8530 HIGH PATCH This Week

Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Denial Of Service Microsoft Use After Free Memory Corruption Google +3
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8519 HIGH PATCH This Week

Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Microsoft Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-8510 HIGH PATCH This Week

Integer overflow in Skia in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Microsoft Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-42598 MEDIUM PATCH This Month

Path traversal in Pode PowerShell web framework versions 2.4.0 through 2.12.x allows high-privileged authenticated users to read arbitrary files from the server filesystem via crafted static route requests. An attacker with high privilege can request paths like http://localhost:8080/c:/Windows/System32/drivers/etc/hosts to retrieve sensitive file contents. The vulnerability is fixed in version 2.13.0.

Microsoft Path Traversal
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-44586 HIGH PATCH This Week

Stored cross-site scripting in SiYuan's Bazaar marketplace (versions 2.1.12 through 3.6.x) enables arbitrary code execution on the host system. The vulnerability stems from unescaped package author metadata rendering, which when exploited through a malicious marketplace package, allows attackers to leverage SiYuan's insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled) to execute Node.js APIs and OS-level commands. No public exploit or active exploitation confirmed at time of analysis. CVSS 8.3 with high attack complexity and required user interaction suggests real-world exploitation depends on convincing users to view crafted marketplace entries.

XSS Microsoft Node.js
NVD GitHub
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-41615 CRITICAL PATCH Exploit Unlikely Act Now

Microsoft Authenticator on Android and iOS leaks sensitive information to unauthenticated remote attackers through network-based exploitation requiring user interaction. The scope change (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, suggesting potential cross-account or session data exposure. Microsoft has released a patch addressing this exposure. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Microsoft Information Disclosure
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-42897 MEDIUM POC KEV PATCH THREAT Exploited Act Now

Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.

XSS Microsoft Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 +1
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
Threat
5.1
CVE-2026-26191 Go MEDIUM PATCH GHSA This Month

OS command injection in Fleet's software installer pipeline allows arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when a specially crafted software package is uninstalled. The vulnerability exists because package metadata fields are not sanitized before being incorporated into auto-generated uninstall scripts. An attacker with the ability to upload packages to Fleet can exploit this by embedding malicious commands in package metadata fields, resulting in code execution with elevated privileges when endpoints execute the uninstall operation. Patch version 4.81.1 available.

Microsoft Apple Command Injection
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-24899 Go HIGH PATCH GHSA This Week

JWT authentication bypass in Fleet's Windows MDM enrollment allows attackers with access to any Azure AD tenant to enroll unauthorized devices and access management APIs. Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but fails to verify 'aud' (audience) or 'iss' (issuer) claims, accepting any Microsoft-signed token with the expected scopes. This enables unauthorized device enrollment and potential exposure of enrollment secrets embedded in MDM payloads. Vendor-released patch available in Fleet v4.82.0 (March 2026). No evidence of active exploitation (not in CISA KEV) at time of analysis, though the vulnerability was responsibly disclosed by security researcher @zaddy6.

Authentication Bypass Microsoft
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-23998 Go HIGH PATCH GHSA This Week

Client certificate validation bypass in Fleet's Windows MDM management endpoint allows remote attackers to impersonate enrolled devices and exfiltrate sensitive configuration data. With high attack complexity (CVSS:4.0 AV:N/AC:H), attackers possessing a valid device identifier can retrieve MDM payloads containing Wi-Fi credentials, VPN configurations, certificates, and other secrets. Vendor-released patch (Fleet v4.81.0) available. No public exploit or CISA KEV listing identified at time of analysis, though CVSS 8.2 severity reflects potential for credential theft and lateral movement.

Microsoft Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-0248 MEDIUM PATCH This Month

Improper certificate validation in Palo Alto Networks Prisma Access Agent versions below 26.2.1 on Android and Chrome OS exposes VPN sessions to man-in-the-middle interception by adjacent-network attackers. An attacker co-located on the same network segment can present any certificate for any domain issued by a trusted Certificate Authority - bypassing domain-specific validation - to intercept VPN tunnel traffic and capture sensitive device information. No public exploit code exists and no active exploitation has been confirmed (EPSS 0.00%, not in CISA KEV); however, a vendor patch is available at version 26.2.1 and should be prioritized for mobile and Chrome OS deployments.

Apple Information Disclosure Google Microsoft Prisma Access Agent
NVD VulDB
CVSS 4.0
6.2
EPSS
0.0%
CVE-2026-0246 MEDIUM PATCH This Month

Local privilege escalation in Palo Alto Networks Prisma Access Agent (all versions prior to 26.2.1) allows any locally authenticated non-administrative user to elevate to root on macOS and Linux, or NT AUTHORITY\SYSTEM on Windows, by exploiting a flawed privilege management mechanism. Successful exploitation grants full control of the affected endpoint, enabling arbitrary code execution and unauthorized access to data restricted to privileged accounts. No public exploit exists and the vulnerability is absent from CISA KEV; however, SSVC rates technical impact as total, making patching a meaningful priority for multi-user and enterprise endpoint environments.

Google RCE Apple Paloalto Microsoft +2
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-0249 MEDIUM PATCH This Month

Improper certificate validation in Palo Alto Networks GlobalProtect App exposes macOS and Android users to adversary-in-the-middle attacks from locally adjacent network positions, enabling traffic interception and malicious software installation. The flaw allows an unauthenticated attacker on the same subnet - or a local non-administrative OS user - to redirect encrypted VPN communications to a rogue server by bypassing TLS certificate checks. No public exploit has been identified at time of analysis, EPSS is effectively zero, and CISA SSVC rates exploitation as none, though the high confidentiality and integrity impact on the vulnerable component warrants prompt patching on affected platforms.

Apple Paloalto Microsoft Authentication Bypass Globalprotect App
NVD VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-0251 MEDIUM PATCH This Month

Local privilege escalation vulnerabilities in Palo Alto Networks GlobalProtect App on Windows, macOS, and Linux allow a low-privileged local user to elevate to NT AUTHORITY\SYSTEM (Windows) or root (macOS/Linux), enabling full OS-level command execution. The root cause is CWE-426 (Untrusted Search Path), where the application resolves executables or libraries from attacker-controllable locations. No public exploit has been identified and CISA SSVC confirms exploitation status as none; however, SSVC rates technical impact as total, reflecting the complete privilege gain achievable upon successful exploitation.

Privilege Escalation Google Apple Microsoft Paloalto +2
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-30906 HIGH PATCH This Week

Local privilege escalation in Zoom Rooms for Windows versions prior to 7.0.0 allows an authenticated user to gain elevated privileges through an untrusted search path weakness in the installer. The flaw (CWE-426) carries a CVSS 7.8 (High) rating with complete confidentiality, integrity, and availability impact, though EPSS exploitation probability is very low (0.01%) and there is no public exploit identified at time of analysis. CISA SSVC indicates no observed exploitation but total technical impact, making this a credible insider-threat or post-compromise escalation vector rather than an internet-facing risk.

Microsoft Privilege Escalation Zoom Rooms
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30905 HIGH PATCH This Week

Local privilege escalation in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 allows an authenticated low-privileged user to elevate to higher privileges through external control of a file name or path during installation routines. The flaw was reported by Zoom and carries CVSS 7.8 with total technical impact, though no public exploit identified at time of analysis and EPSS sits at 0.01%. SSVC indicates exploitation status 'none' and the attack is not automatable, marking this as a patch-on-schedule rather than emergency item.

Microsoft Privilege Escalation Zoom Workplace Vdi Plugin
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-44470 HIGH PATCH This Week

Local privilege escalation in Claude Desktop for Windows prior to 1.3834.0 allows a low-privileged user to gain SYSTEM-level file write primitives by abusing the CoworkVMService component. The service fails to validate whether the user-writable VM bundle directory is a real directory or an NTFS directory junction, enabling a classic link-following attack. No public exploit identified at time of analysis, and EPSS is negligible (0.01%), but SSVC rates technical impact as total.

Microsoft Privilege Escalation Claude Desktop
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
EPSS 0% CVSS 7.3
HIGH This Week

Wine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandboxes, because MIME handlers are not intended for use by code interpreters and loaders. NOTE: some parties feel that this is not a bug to be addressed in Wine, because there is no known solution that avoids a severe loss of usability (Wine could be a binfmt-misc handler, but binfmt-misc does not exist on all platforms supported by Wine).

Microsoft Information Disclosure Suse
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft Entra ID (formerly Azure AD), specifically affecting Microsoft Global Secure Access (GSA), allows remote unauthenticated attackers to gain elevated privileges over the network. The CVSS 7.5 rating reflects high confidentiality impact with no required authentication or user interaction, though no public exploit has been identified at time of analysis. The vector points to a flaw in how identity or access tokens are evaluated, which is particularly sensitive given Entra ID's role as a primary IAM backbone for Microsoft 365 and Azure tenants.

Microsoft Privilege Escalation
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain elevated privileges across tenant boundaries (scope-changed). The CVSS 10.0 rating reflects maximum impact across confidentiality, integrity, and availability with no authentication or user interaction required, though no public exploit has been identified at time of analysis and EPSS data is not provided.

Microsoft Authentication Bypass
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH NO ACTION HOSTED Monitor

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft malicious serialized payloads that the service processes, resulting in information disclosure across a trust boundary. The maximum CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, though no public exploit identified at time of analysis and EPSS data was not provided.

Microsoft Deserialization
NVD VulDB
EPSS 1% 4.8 CVSS 8.8
HIGH POC KEV PATCH THREAT Exploit Unlikely Act Now

Authenticated remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Subscription Edition) stems from unsafe deserialization of untrusted data (CWE-502), enabling an authorized attacker to run arbitrary code on the server over the network. CVSS 8.8 with low privileges required and no user interaction makes this attractive to post-authentication adversaries, though no public exploit identified at time of analysis and CVSS temporal data marks exploit code maturity as Unproven.

Microsoft Deserialization Microsoft Sharepoint Enterprise Server 2016 +2
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH NO ACTION HOSTED Monitor

Authentication bypass in Microsoft Azure Active Directory B2C (now part of Microsoft Entra) allows remote unauthenticated attackers to elevate privileges by reaching protected functionality through an alternate code path. The CVSS 9.1 vector (AV:N/AC:L/PR:N/UI:N) reflects network-reachable exploitation with no privileges and no user interaction, yielding high confidentiality and integrity impact against tenants relying on Azure AD B2C for identity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the unauthenticated-network profile and Microsoft self-reporting make this a high-priority advisory for any tenant using B2C.

Microsoft Authentication Bypass
NVD
EPSS 0% CVSS 7.7
HIGH PATCH NO ACTION HOSTED Monitor

Information disclosure in Microsoft Azure Compute Gallery permits an authenticated remote attacker to read sensitive data across tenant or resource boundaries due to improper input validation (CWE-20). The scope-changed CVSS 7.7 rating reflects cross-boundary impact, but the exploit maturity is currently unproven (E:U) and no public exploit identified at time of analysis. Microsoft has published an official fix via MSRC.

Microsoft Information Disclosure
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH NO ACTION HOSTED Monitor

Command injection in Microsoft 365 Copilot for iOS allows remote unauthenticated attackers to tamper with system integrity over the network when a user is convinced to interact with malicious content. The flaw carries a critical CVSS score of 9.3 with a scope change indicating impact beyond the vulnerable component, though no public exploit identified at time of analysis. An official vendor patch is available via MSRC.

Microsoft Command Injection
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authentication and gain elevated privileges across the cloud control plane. The flaw carries a maximum CVSS score of 10.0 due to a scope change combined with full confidentiality, integrity, and availability impact, and although Microsoft has released a fix there is no public exploit identified at time of analysis. Given ARM is the central management layer for nearly all Azure resources, successful exploitation could have broad tenant-wide consequences.

Microsoft Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH NO ACTION HOSTED Monitor

Remote code execution in Microsoft Azure Virtual Network Gateway allows an authenticated attacker with low privileges to execute arbitrary code across a network boundary due to improper input validation. The CVSS 9.9 score reflects scope-changed impact (S:C) where exploitation can compromise resources beyond the vulnerable component itself, affecting confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the high score and managed-service nature warrant priority attention.

Microsoft Information Disclosure
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Microsoft Azure Privileged Identity Management (PIM) allows an authenticated attacker to bypass authorization checks by manipulating a user-controlled key, escalating privileges over the network. The flaw stems from an Insecure Direct Object Reference (IDOR) pattern (CWE-639) where the service trusts a client-supplied identifier when making authorization decisions. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Microsoft Authentication Bypass
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH NO ACTION Monitor

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-system commands against the platform, with a maximum CVSS score of 10.0 reflecting changed scope and full confidentiality, integrity, and availability impact. The flaw stems from improper neutralization of special elements in command construction (CWE-77), and while no public exploit has been identified at time of analysis, Microsoft has released a patch via MSRC. Given Power Pages is a multi-tenant SaaS offering, a successful exploit could pivot beyond the initial site boundary.

Microsoft Command Injection
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH NO ACTION Monitor

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous file types and execute arbitrary code, earning a maximum CVSS 10.0 score with scope change (S:C). Per Microsoft's MSRC advisory, a vendor patch is available, though no public exploit has been identified at time of analysis and the EPSS score was not provided in the source data.

Microsoft File Upload
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Unprotected credential transport in syslink software AG Avantra before version 25.3.0 exposes authentication material to network-layer interception on both Linux and Windows deployments. The vulnerability, classified under CWE-523, allows a suitably positioned network adversary to capture credentials in transit, with the CVSS vector indicating high confidentiality and integrity impact upon successful exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the high attack complexity and high privilege prerequisite meaningfully constrain the realistic attacker population.

Microsoft Information Disclosure
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Default credential exposure in syslink software AG Avantra (all versions before 25.3.0) on Linux and Windows allows a local attacker with high-privilege access to authenticate using known default passwords, achieving high confidentiality impact against monitoring data and infrastructure configurations managed by the platform. Reported by NCSC.ch and addressed in version 25.3.0, this CWE-1393 flaw represents an insider threat or post-compromise lateral movement risk for organizations running Avantra in SAP and IT operations environments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Microsoft Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Sensitive information disclosure in syslink software AG Avantra (versions before 25.3.0) on Linux and Windows allows an attacker with high privileges and adjacent network access to harvest data written into log files, with a scope-changed impact crossing trust boundaries. The flaw is tracked as CWE-532 and rated CVSS 7.5, but no public exploit identified at time of analysis and it is not listed in CISA KEV.

Microsoft Information Disclosure
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Session replay weakness in syslink software AG's Avantra monitoring platform (versions before 25.3.1) on Linux and Windows allows remote attackers to reuse captured session identifiers because sessions are not properly expired. With CVSS 9.6 and scope change, an attacker who obtains a valid session ID can impersonate users and pivot into systems Avantra manages; no public exploit identified at time of analysis.

Microsoft Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Blind Server-Side Request Forgery in FlaskBB's avatar URL handling allows any authenticated user to force the server to issue arbitrary HTTP GET requests to internal network endpoints, including cloud instance metadata services (AWS IMDSv1 at 169.254.169.254, GCP, Azure equivalents). All versions up to and including 2.2.0 of the pip-distributed FlaskBB package are affected, with no vendor-released patch available at time of analysis. A proof-of-concept is publicly available via the GitHub Security Advisory, and three distinct exploitation channels have been demonstrated: direct credential exfiltration from cloud metadata services, internal port scanning via differential error responses, and triggering of internal APIs (Elasticsearch, etcd, Consul, CI/CD webhooks).

Microsoft Elastic Python +1
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Redirect-based SSRF bypass in pyload-ng's parse_urls API allows authenticated attackers with ADD permission to probe internal network services and cloud metadata endpoints by chaining an open redirect through an attacker-controlled host. The prior SSRF fix (commit 33c55da, GHSA-7gvf-3w72-p2pg) correctly hardened HTTPChunk but left HTTPRequest used by RequestFactory.get_url() with allow_private_ip=True, rendering the is_global_host() check on the initial URL ineffective against 302 redirects to private IP space. A public proof-of-concept exploit exists demonstrating exfiltration of AWS IMDSv1 metadata; no public exploit identified at time of analysis for active in-the-wild exploitation, and CVE-2026-46561 is not listed in the CISA KEV catalog.

Microsoft Python SSRF
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sensitive credential disclosure in OpenMetadata 1.12.1 allows any authenticated non-admin SSO user to retrieve cleartext database passwords and a long-lived ingestion-bot JWT by triggering a TEST_CONNECTION workflow via POST /api/v1/automations/workflows. The HTTP 201 response unexpectedly echoes the stored Oracle/database secret and the bot's bearer token, which can then be replayed against service APIs with bot-level privileges. A detailed proof-of-concept is published in the GitHub Security Advisory (GHSA-9vmh-whc4-7phg), so publicly available exploit code exists; no public exploit identified at time of analysis in CISA KEV.

Microsoft Information Disclosure Apache +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

SSO authentication callback origin validation failure in Mattermost Mobile Apps enables cross-server credential theft across multiple release branches (≤11.1.3, ≤11.3.2, ≤11.0.4, ≤10.11.11, ≤2.0.37). An attacker operating a malicious Mattermost server can relay the SSO authorization code exchange through a victim's mobile application to authenticate against a separate, legitimate Mattermost server - stealing valid session credentials without the victim's awareness. No public exploit has been identified at time of analysis, and CVSS AC:H constrains this to targeted, engineered attacks rather than opportunistic mass exploitation.

Microsoft CSRF Mattermost
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.

Microsoft Google RCE +6
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.

Microsoft Google RCE +6
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 148.0.7778.179) enables a remote attacker who has already achieved renderer process compromise to deceive end users through a crafted HTML page, exploiting CWE-451 (UI Misrepresentation of Critical Information). Affected users on Windows running any Chrome version below 148.0.7778.179 are exposed to potential phishing or credential-harvesting scenarios dressed up as legitimate browser UI. No public exploit code or CISA KEV listing exists at time of analysis, but the Chromium team assigned a Critical internal severity - a meaningful contrast with the NVD CVSS score of 4.2 - suggesting the spoofing potential carries downstream risk beyond what the base score reflects.

Microsoft Information Disclosure Google +3
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

HTML sanitizer bypass in CryptPad's Diffmarked.js allows remote unauthenticated attackers to inject arbitrary HTML into collaborative documents, completely defeating the platform's bounce sandboxing mechanism. All CryptPad versions prior to 2026.2.0 are affected; the CVSS scope change (S:C) reflects that exploitation crosses sandbox boundaries, enabling link injection and delivery of malicious interactive content to any user who opens a crafted document. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though the attack vector is network-accessible with no authentication required.

Microsoft Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-origin read access to Algernon's SSE auto-refresh event server (versions ≤ 1.17.6) allows any web page visited by a developer to silently subscribe to the live file-change stream via a browser-native EventSource. The root cause is a hardcoded wildcard `Access-Control-Allow-Origin: *` response header in the dedicated SSE port activated by the `-a` flag, with no origin inspection or allow-list logic present in the vendored recwatch handler. No public exploit identified at time of analysis per KEV absence, though a complete working proof-of-concept - including exploit HTML and curl verification transcript - is published in GHSA-hw27-4v2q-5qff.

Information Disclosure Cors Misconfiguration Microsoft +2
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Algernon's auto-refresh SSE event server unintentionally exposes developer file-change streams to unauthenticated LAN peers on Linux and macOS due to a platform-dependent bind address default that was never intended to reach adjacent hosts. On non-Windows platforms, the SSE listener resolves to 0.0.0.0:5553 (all interfaces), while Windows correctly binds to 127.0.0.1:5553 - a silent asymmetry introduced in engine/flags.go that leaves developers on the most common Algernon platforms exposed whenever they work on shared networks. A publicly available proof-of-concept demonstrates that any host on the same subnet can enumerate project filenames and edit timing with a single unauthenticated curl command, with no developer interaction required; no public exploit identified at time of analysis rises to confirmed active exploitation (not in CISA KEV).

Microsoft Information Disclosure Apple
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in Microsoft's Windows Admin Center (Azure Portal edition) allows an authenticated low-privileged attacker to gain higher privileges by abusing symbolic link resolution before file access. The flaw, reported by Microsoft itself, carries a CVSS 7.8 with no public exploit identified at time of analysis, and a vendor patch is available via the Microsoft Security Response Center advisory.

Microsoft Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Microsoft Defender (Microsoft Malware Protection Engine) enables unauthenticated network-based attackers to corrupt heap memory and run arbitrary code on hosts running the vulnerable scanning engine. The flaw scores CVSS 8.1 with high attack complexity, affects systems by default since Defender is shipped with Windows, and at time of analysis has no public exploit identified, though Microsoft has released a vendor patch via MSRC.

Microsoft Buffer Overflow Heap Overflow
NVD VulDB
EPSS 12% 4.9 CVSS 7.8
HIGH POC KEV PATCH THREAT Exploited Act Now

Local privilege escalation in Microsoft Defender (Malware Protection Engine) enables an authenticated low-privileged attacker to elevate to SYSTEM by abusing improper link resolution (CWE-59) before file access. The flaw scores CVSS 7.8 with high impact to confidentiality, integrity, and availability, and no public exploit is identified at time of analysis. Microsoft has released a patch via MSRC, and there is no current CISA KEV listing or EPSS signal indicating active mass exploitation.

Microsoft Information Disclosure
NVD VulDB GitHub
EPSS 2% CVSS 4.0
MEDIUM POC KEV PATCH THREAT Exploited Act Now

Denial of service in Microsoft Defender Antimalware Platform allows a local, unprivileged attacker to partially degrade availability with low attack complexity and no user interaction required. The CVSS 4.0 score reflects limited impact - confidentiality and integrity are unaffected, and availability impact is rated Low. Vendor patch is available via Microsoft Security Response Center; no public exploit identified at time of analysis and no CISA KEV listing.

Microsoft Denial Of Service
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM Exploit Likely This Month

Windows security feature bypass, publicly dubbed 'YellowKey', exposes systems to full confidentiality, integrity, and availability compromise via command injection (CWE-77) requiring only physical access - no credentials or user interaction needed. A proof-of-concept was released publicly prior to patch availability, violating coordinated disclosure norms, which lowers the attacker skill bar significantly. No vendor-released patch exists at time of analysis; Microsoft has confirmed the issue and is preparing a security update.

Microsoft Command Injection
NVD VulDB GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published.

Microsoft Jwt Attack Hashicorp +2
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Path traversal in pymdownx.snippets versions 10.0.1 through 10.21.2 allows unauthenticated remote attackers to read arbitrary files from sibling directories outside the configured base_path, bypassing the restrict_base_path protection intended by CVE-2023-32309. The bypass exploits a string-prefix comparison introduced in PR #2039 that lacks directory-boundary enforcement, enabling a crafted snippet directive like '--8<-- "../docs_secret/leak.txt"' to escape the configured base directory when sibling paths share the same string prefix. Publicly available exploit code (proof-of-concept) exists in the GitHub Security Advisory; the vulnerability is not confirmed actively exploited in the CISA KEV catalog at time of analysis.

Microsoft Path Traversal Python
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthenticated semi-blind Server-Side Request Forgery in Coder's Azure instance identity endpoint allows any remote attacker to force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts, enabling internal network reconnaissance, cloud metadata service probing (e.g., 169.254.169.254), and error-based information disclosure of network topology. The vulnerability exists across all supported Coder release lines prior to v2.29.13/v2.30.8/v2.31.12/v2.32.2/v2.33.3/v2.24.5 (ESR), and has been patched in GitHub PR #25274. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Microsoft Information Disclosure SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Path traversal in go-git allows crafted repository payloads to write files outside the intended checkout directory, including into the repository's .git directory and parent paths. The vulnerability stems from go-git failing to implement path validation checks that upstream Git adopted years ago, creating a drift-induced security gap across all supported platforms - with additional platform-specific attack vectors affecting Windows and macOS users distinctly. CVSS scores this at 5.4 medium with no public exploit identified at time of analysis and no CISA KEV listing, but the real-world risk is elevated in automated pipelines or developer tooling that processes untrusted repositories without human review.

Microsoft Path Traversal Apple
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Pre-authenticated remote code execution in Algernon web server (≤ 1.17.6) allows attackers who can place a handler.lua file anywhere in a parent directory of the server root to execute arbitrary Lua - including shell commands via run3() and os.execute - in the server process on the next HTTP request. The flaw stems from DirPage walking up to 100 ancestor directories past the configured server root searching for handler.lua, and the permission middleware does not gate this lookup, so an anonymous GET / suffices to trigger execution. Publicly available exploit code exists (the reporter published three working PoC variants and a live verification against 1.17.6).

Microsoft Redis RCE +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Algernon web server versions 1.17.6 and earlier allows unauthenticated remote attackers to retrieve full server-side source code, including embedded secrets, by triggering runtime errors in Lua, Pongo2, Amber, or HTML template handlers. When Algernon is started with a single file path (e.g. `algernon page.po2`), single-file mode unconditionally forces debug mode on, activating the PrettyError renderer which returns absolute file paths and complete file contents in HTTP 200 responses. Crucially, the `--prod` hardening flag does not block this behavior for non-`.lua` extensions, and publicly available exploit code exists in the GHSA advisory.

Microsoft Information Disclosure Python
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate privileges to Administrator. During installation, the software writes the file CCFLFamily_07Feb11.edr to C:\ProgramData\Portrait Displays\CW\data\i1D3\ while running with elevated privileges. Because the installer does not properly validate symbolic links or reparse points at the destination path, an attacker can create a malicious link that redirects the write operation to an arbitrary system location, enabling arbitrary file creation or overwrite with elevated privileges.

Microsoft Dell Privilege Escalation
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege code execution in jarrodwatts/claude-hud through version 0.0.12 on Windows allows authenticated local users to run arbitrary executables by setting the COMSPEC environment variable before the tool's version check, where execFile() launches whatever binary COMSPEC points to with cmd.exe-style arguments. The flaw is tracked as CWE-427 (Uncontrolled Search Path Element) and was reported by VulnCheck; no public exploit identified at time of analysis, but the upstream commit 234d9aa makes the fix mechanics straightforward to reverse-engineer.

RCE Microsoft Command Injection +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Exploit Likely Act Now

Privilege elevation in Microsoft Azure Local Disconnected Operations allows unauthenticated network-based attackers to gain elevated rights via an improper authentication weakness (CWE-287). The flaw carries a maximum CVSS 10.0 score with scope change, and Microsoft has issued a patched build (Azure Local 2604.2.25645). No public exploit identified at time of analysis, but the trivial attack profile (AV:N/AC:L/PR:N/UI:N) makes this a top-priority fix for affected hybrid-cloud deployments.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Likely This Week

Remote code execution in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows attackers to execute arbitrary code on victim systems when a user is lured to a malicious webpage. The vulnerability stems from improper input validation (CWE-20) and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

RCE Google Microsoft
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH Exploit Likely This Month

Cross-site scripting (XSS)-based spoofing in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 allows remote unauthenticated attackers to inject and execute scripts within the browser context, manipulating rendered content or UI trust indicators to deceive users. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms low-complexity, network-reachable exploitation requiring only that a victim visit a malicious page. Impact is constrained to limited confidentiality and integrity loss (C:L/I:L/A:N), consistent with spoofing and credential-phishing scenarios rather than full system compromise. No public exploit identified at time of analysis and no CISA KEV listing.

Google Microsoft XSS
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH Exploit Likely This Month

Security feature bypass in Microsoft Edge (Chromium-based) versions prior to 148.0.3967.70 enables remote attackers to circumvent browser security controls through improper input validation (CWE-20), resulting in limited confidentiality and integrity compromise. The CVSS vector (AV:N/AC:L/PR:N/UI:R) confirms exploitation is network-based, requires no attacker privileges, but demands user interaction - consistent with a browser-based attack requiring a victim to engage with malicious content. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Google Microsoft
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Improper SSL/TLS certificate validation in Dell Live Optics Windows and Personal Edition collectors allows remote attackers to intercept and modify data transmitted by the collector. The vulnerability requires network positioning (man-in-the-middle) and user interaction, making exploitation moderately complex but enabling complete compromise of data confidentiality and integrity for collector communications. Dell has released patches in version 27.1.10.1 to address the certificate validation flaw.

Information Disclosure Dell Microsoft
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

OAuth authorization code interception in Mattermost 10.11.x through 10.11.13 and 11.5.x through 11.5.1 allows authenticated OAuth clients to redeem authorization codes issued to different clients. An attacker controlling a malicious OAuth application can intercept and exchange authorization codes meant for legitimate applications, potentially gaining unauthorized access to user data or sessions. CVSS score of 3.1 reflects high attack complexity and required privileges, with EPSS data not provided. Vendor patch released per Mattermost advisory MMSA-2026-00570.

Mattermost Information Disclosure Microsoft
NVD VulDB
EPSS 0% CVSS 8.5
HIGH POC This Week

Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Rated high severity (CVSS 8.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Privilege Escalation
NVD Exploit-DB VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

SQL injection in phpMyFAQ prior to 4.1.2 allows attackers authenticating through Azure AD/Entra ID OAuth to execute arbitrary database queries by embedding SQL metacharacters in their identity provider display name or JWT claims. The CurrentUser::setTokenData() method interpolates OAuth token fields into an UPDATE statement via sprintf without calling the database escape routine, while sibling methods in the same file correctly escape input. Publicly available exploit code exists per VulnCheck and the GHSA advisory, though EPSS is low (0.03%, 9th percentile) and the issue is not in CISA KEV.

Microsoft SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Budibase's REST datasource integration before version 3.38.1 bypasses IP blacklist security controls through HTTP redirect following. Authenticated Builder-level users can exploit this to access cloud metadata services and internal databases by redirecting requests through attacker-controlled servers, potentially stealing AWS/GCP/Azure credentials. This vulnerability class was previously fixed in automation steps but the REST integration was overlooked, creating an inconsistent security posture.

Redis Python SSRF +1
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Budibase's AI Extract File automation step allows authenticated users with builder permissions to bypass IP blacklist protections and access internal resources. The vulnerability exists because the processUrlFile function uses fetch() directly without the fetchWithBlacklist() validation that protects all other automation steps, enabling attacks on cloud metadata endpoints (169.254.169.254), internal APIs, and private networks. Fixed in version 3.34.8.

SSRF Microsoft
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Archive extraction boundary failure in Microsoft APM's legacy-bundle probe allows local attackers to overwrite arbitrary files on Windows systems running Python 3.10 or 3.11. When users run 'apm install' on a malicious .tar.gz file, untrusted tar members bypass path validation, enabling absolute path writes (e.g., D:/...) that compromise system integrity. Fixed in version 0.13.0. No active exploitation confirmed at time of analysis, but the local attack vector with user interaction required (CVSS AV:L/UI:R) limits real-world risk to social engineering scenarios targeting AI agent developers on Windows platforms.

Path Traversal Python Microsoft
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Symbolic link following vulnerability in Microsoft APM dependency manager versions 0.5.4 to 0.12.4 allows remote attackers to read arbitrary files from the victim's system through malicious dependencies. The vulnerability occurs when APM processes symlinks in remote dependencies, following them to read local files and potentially exposing sensitive data that gets staged in git repositories. No public exploit identified at time of analysis.

Information Disclosure Microsoft
NVD GitHub VulDB
EPSS 0% 4.9 CVSS 9.3
CRITICAL POC KEV PATCH THREAT Act Now

Supply chain compromise of DAEMON Tools Lite for Windows delivered trojanized installers through the legitimate vendor website daemon-tools.cc from April 8 to May 5, 2026. Attackers compromised AVB Disc Soft's build infrastructure and injected malicious code into three binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), all signed with the vendor's legitimate code-signing certificate. This allowed remote attackers to achieve arbitrary code execution on systems installing affected versions (12.5.0.2421 through 12.5.0.2434) with no user interaction required beyond normal installation. The legitimate digital signature bypassed security controls that rely on code-signing verification, making detection extremely difficult during the compromise window.

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in Rapid7 Metasploit Pro allows unprivileged Windows users to achieve SYSTEM-level execution via OpenSSL configuration file hijacking. The metasploitPostgreSQL service loads openssl.cnf from a non-existent directory writable by standard users, enabling arbitrary command execution with SYSTEM privileges. Rated CVSS 8.5 (High) with proof-of-concept exploitation status (E:P). EPSS data not yet available. Not currently listed in CISA KEV catalog, suggesting vendor-disclosed rather than observed in-the-wild exploitation at time of analysis.

Privilege Escalation Microsoft PostgreSQL +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl.

Python Microsoft Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

HTTP redirect bypass in DeepSeek TUI's fetch_url tool allows Server-Side Request Forgery (SSRF) against cloud metadata endpoints and internal services. The tool validates only the initial URL against restricted IP blocklists but automatically follows up to 5 HTTP redirects without re-validation, enabling attackers to exfiltrate AWS/GCP/Azure IAM credentials and instance metadata via prompt injection attacks. Vendor-released patch available in version 0.8.22. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in public advisory demonstrating successful bypass of SSRF protections.

SSRF Microsoft
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthenticated attackers can invoke the GET `/api/v1/memories/ef` endpoint in Open WebUI versions ≤0.7.2 to trigger arbitrary embedding generation without authentication, enabling cost-based attacks against paid embedding providers (OpenAI, Azure) and denial-of-service via resource exhaustion. The endpoint executes `request.app.state.EMBEDDING_FUNCTION()` without any authentication check, allowing unlimited free API calls to downstream embedding services. Vendor-released patch available in v0.8.0 (February 2026) that removes the vulnerable endpoint entirely.

Authentication Bypass Microsoft
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

URL parser mismatch in Open WebUI allows authenticated users to bypass SSRF protections and access internal network resources. The validate_url function uses Python's urlparse library to extract hostnames for validation, while the requests library handles actual HTTP requests. These libraries disagree on parsing URLs containing backslash characters (e.g., http://127.0.0.1:6666\@1.1.1.1), allowing attackers to craft URLs that pass validation as external addresses but resolve to internal hosts. Exploitation requires low-privilege authentication but no user interaction, enabling access to cloud metadata endpoints and internal services. Fixed in version 0.9.5 per GitHub advisory GHSA-8w7q-q5jp-jvgx.

Google SSRF Microsoft +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Open WebUI's GET /api/v1/retrieval/ endpoint discloses RAG pipeline configuration including embedding models, chunking parameters, and RAG templates to unauthenticated attackers with a single HTTP request. The vulnerability affects v0.9.2 and earlier, where this endpoint lacks authentication guards present on all adjacent endpoints, enabling reconnaissance for RAG poisoning attacks and infrastructure fingerprinting without requiring credentials, authentication tokens, or user interaction.

Authentication Bypass Python Microsoft +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in Open WebUI allows authenticated users with 'write' access grants on tools to execute arbitrary server-side Python code without the required workspace.tools permission. The tool update endpoint (POST /api/v1/tools/id/{id}/update) fails to enforce the workspace.tools authorization check that gates code execution, allowing users explicitly denied code execution capabilities to bypass this security boundary. This breaks Open WebUI's documented trust model where workspace.tools permission is intentionally disabled by default and 'equivalent to giving them shell access to the server.' Exploitation achieves root code execution (PID 1) in default Docker deployments, enabling extraction of secrets (WEBUI_SECRET_KEY, API keys), database access, and filesystem read/write. Confirmed by GitHub security advisory GHSA-p4fx-23fq-jfg6. No public exploit or KEV listing at time of analysis, but detailed proof-of-concept with Burp Collaborator confirmation exists in the advisory.

Microsoft Python RCE +2
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Open WebUI versions up to 0.9.2 allows authenticated users to upload malicious Office files (Excel, DOCX, PPT) that execute arbitrary JavaScript in the browsers of any user previewing the file. The vulnerability stems from rendering user-supplied HTML from file-preview components using Svelte's `{@html}` directive without DOMPurify sanitization, despite DOMPurify being available and correctly applied in 39% of the codebase's other rendering locations. This is a regression of a previously patched vulnerability (GHSA-jwf8-pv5p-vhmc) that was fixed in v0.8.0 but reintroduced after that release.

XSS Microsoft File Upload
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Denial Of Service Microsoft Use After Free +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

Microsoft Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Medium)

Microsoft Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Navigation restrictions can be bypassed in Google Chrome for Windows versions prior to 148.0.7778.168 when attackers craft malicious HTML pages that exploit insufficient sandbox policy enforcement in iframe elements. User interaction (opening/visiting the crafted page) is required for exploitation. Google released a patched version addressing this medium-severity flaw. With EPSS exploitation probability at 0.02% (4th percentile) and no KEV listing, this represents a moderate-priority issue primarily affecting organizations running outdated Chrome versions on Windows systems.

Google Authentication Bypass Microsoft +3
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Integer overflow in Internationalization in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Microsoft Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Cross-origin data leakage in Google Chrome on Windows via ANGLE graphics library allows renderer-compromised attackers to steal sensitive data from other origins through specially crafted web pages. Affects Chrome versions prior to 148.0.7778.168 on Windows platforms. EPSS probability of 0.03% (10th percentile) indicates low observed exploitation likelihood, with CISA SSVC confirming no active exploitation and non-automatable attack chain. Vendor patch released in Chrome 148.0.7778.168 stable channel update. Attack requires successful renderer process compromise as prerequisite, combined with user interaction, creating a chained exploitation scenario rather than standalone vulnerability.

Google Authentication Bypass Microsoft +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Denial Of Service Microsoft Use After Free +6
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Out-of-bounds memory write in Google Chrome's ANGLE graphics library (Windows only) enables attackers who have already compromised the renderer process to corrupt memory via specially crafted HTML pages. Chrome 148.0.7778.168 patches this type confusion vulnerability. Despite high Chromium severity rating, CVSS 3.1 scores only 3.1 due to prerequisite renderer compromise, high attack complexity, and required user interaction. EPSS 0.03% (10th percentile) and SSVC indicating no known exploitation suggest limited real-world risk at time of analysis.

Google Microsoft Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Privilege Escalation Microsoft +4
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Out of bounds read in GPU in Google Chrome on Mac and Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Google Microsoft Information Disclosure +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Denial Of Service Microsoft Use After Free +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Heap Overflow Google Microsoft +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Denial Of Service Microsoft Use After Free +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Microsoft Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Integer overflow in Skia in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Microsoft Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Path traversal in Pode PowerShell web framework versions 2.4.0 through 2.12.x allows high-privileged authenticated users to read arbitrary files from the server filesystem via crafted static route requests. An attacker with high privilege can request paths like http://localhost:8080/c:/Windows/System32/drivers/etc/hosts to retrieve sensitive file contents. The vulnerability is fixed in version 2.13.0.

Microsoft Path Traversal
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Stored cross-site scripting in SiYuan's Bazaar marketplace (versions 2.1.12 through 3.6.x) enables arbitrary code execution on the host system. The vulnerability stems from unescaped package author metadata rendering, which when exploited through a malicious marketplace package, allows attackers to leverage SiYuan's insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled) to execute Node.js APIs and OS-level commands. No public exploit or active exploitation confirmed at time of analysis. CVSS 8.3 with high attack complexity and required user interaction suggests real-world exploitation depends on convincing users to view crafted marketplace entries.

XSS Microsoft Node.js
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Exploit Unlikely Act Now

Microsoft Authenticator on Android and iOS leaks sensitive information to unauthenticated remote attackers through network-based exploitation requiring user interaction. The scope change (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component, suggesting potential cross-account or session data exposure. Microsoft has released a patch addressing this exposure. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

Microsoft Information Disclosure
NVD VulDB
EPSS 0% 5.1 CVSS 6.1
MEDIUM POC KEV PATCH THREAT Exploited Act Now

Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.

XSS Microsoft Microsoft Exchange Server 2016 Cumulative Update 23 +3
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OS command injection in Fleet's software installer pipeline allows arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when a specially crafted software package is uninstalled. The vulnerability exists because package metadata fields are not sanitized before being incorporated into auto-generated uninstall scripts. An attacker with the ability to upload packages to Fleet can exploit this by embedding malicious commands in package metadata fields, resulting in code execution with elevated privileges when endpoints execute the uninstall operation. Patch version 4.81.1 available.

Microsoft Apple Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

JWT authentication bypass in Fleet's Windows MDM enrollment allows attackers with access to any Azure AD tenant to enroll unauthorized devices and access management APIs. Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but fails to verify 'aud' (audience) or 'iss' (issuer) claims, accepting any Microsoft-signed token with the expected scopes. This enables unauthorized device enrollment and potential exposure of enrollment secrets embedded in MDM payloads. Vendor-released patch available in Fleet v4.82.0 (March 2026). No evidence of active exploitation (not in CISA KEV) at time of analysis, though the vulnerability was responsibly disclosed by security researcher @zaddy6.

Authentication Bypass Microsoft
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Client certificate validation bypass in Fleet's Windows MDM management endpoint allows remote attackers to impersonate enrolled devices and exfiltrate sensitive configuration data. With high attack complexity (CVSS:4.0 AV:N/AC:H), attackers possessing a valid device identifier can retrieve MDM payloads containing Wi-Fi credentials, VPN configurations, certificates, and other secrets. Vendor-released patch (Fleet v4.81.0) available. No public exploit or CISA KEV listing identified at time of analysis, though CVSS 8.2 severity reflects potential for credential theft and lateral movement.

Microsoft Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Improper certificate validation in Palo Alto Networks Prisma Access Agent versions below 26.2.1 on Android and Chrome OS exposes VPN sessions to man-in-the-middle interception by adjacent-network attackers. An attacker co-located on the same network segment can present any certificate for any domain issued by a trusted Certificate Authority - bypassing domain-specific validation - to intercept VPN tunnel traffic and capture sensitive device information. No public exploit code exists and no active exploitation has been confirmed (EPSS 0.00%, not in CISA KEV); however, a vendor patch is available at version 26.2.1 and should be prioritized for mobile and Chrome OS deployments.

Apple Information Disclosure Google +2
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Local privilege escalation in Palo Alto Networks Prisma Access Agent (all versions prior to 26.2.1) allows any locally authenticated non-administrative user to elevate to root on macOS and Linux, or NT AUTHORITY\SYSTEM on Windows, by exploiting a flawed privilege management mechanism. Successful exploitation grants full control of the affected endpoint, enabling arbitrary code execution and unauthorized access to data restricted to privileged accounts. No public exploit exists and the vulnerability is absent from CISA KEV; however, SSVC rates technical impact as total, making patching a meaningful priority for multi-user and enterprise endpoint environments.

Google RCE Apple +4
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Improper certificate validation in Palo Alto Networks GlobalProtect App exposes macOS and Android users to adversary-in-the-middle attacks from locally adjacent network positions, enabling traffic interception and malicious software installation. The flaw allows an unauthenticated attacker on the same subnet - or a local non-administrative OS user - to redirect encrypted VPN communications to a rogue server by bypassing TLS certificate checks. No public exploit has been identified at time of analysis, EPSS is effectively zero, and CISA SSVC rates exploitation as none, though the high confidentiality and integrity impact on the vulnerable component warrants prompt patching on affected platforms.

Apple Paloalto Microsoft +2
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Local privilege escalation vulnerabilities in Palo Alto Networks GlobalProtect App on Windows, macOS, and Linux allow a low-privileged local user to elevate to NT AUTHORITY\SYSTEM (Windows) or root (macOS/Linux), enabling full OS-level command execution. The root cause is CWE-426 (Untrusted Search Path), where the application resolves executables or libraries from attacker-controllable locations. No public exploit has been identified and CISA SSVC confirms exploitation status as none; however, SSVC rates technical impact as total, reflecting the complete privilege gain achievable upon successful exploitation.

Privilege Escalation Google Apple +4
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Zoom Rooms for Windows versions prior to 7.0.0 allows an authenticated user to gain elevated privileges through an untrusted search path weakness in the installer. The flaw (CWE-426) carries a CVSS 7.8 (High) rating with complete confidentiality, integrity, and availability impact, though EPSS exploitation probability is very low (0.01%) and there is no public exploit identified at time of analysis. CISA SSVC indicates no observed exploitation but total technical impact, making this a credible insider-threat or post-compromise escalation vector rather than an internet-facing risk.

Microsoft Privilege Escalation Zoom Rooms
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 allows an authenticated low-privileged user to elevate to higher privileges through external control of a file name or path during installation routines. The flaw was reported by Zoom and carries CVSS 7.8 with total technical impact, though no public exploit identified at time of analysis and EPSS sits at 0.01%. SSVC indicates exploitation status 'none' and the attack is not automatable, marking this as a patch-on-schedule rather than emergency item.

Microsoft Privilege Escalation Zoom Workplace Vdi Plugin
NVD VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Local privilege escalation in Claude Desktop for Windows prior to 1.3834.0 allows a low-privileged user to gain SYSTEM-level file write primitives by abusing the CoworkVMService component. The service fails to validate whether the user-writable VM bundle directory is a real directory or an NTFS directory junction, enabling a classic link-following attack. No public exploit identified at time of analysis, and EPSS is negligible (0.01%), but SSVC rates technical impact as total.

Microsoft Privilege Escalation Claude Desktop
NVD GitHub VulDB
Prev Page 14 of 193 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy