Skip to main content

Power Automate For Desktop

4 CVEs product

Monthly

CVE-2026-40374 MEDIUM PATCH Exploit Unlikely This Month

Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network.

Information Disclosure Power Automate For Desktop
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-47966 CRITICAL Act Now

Critical information disclosure vulnerability in Microsoft Power Automate that allows unauthenticated remote attackers to expose sensitive information and escalate privileges across a network without requiring user interaction. With a CVSS score of 9.8 and an unauthenticated attack vector, this vulnerability represents an immediate and severe risk to organizations using Power Automate; exploitation is likely being actively pursued given the severity metrics and network-accessible nature of the vulnerability.

Information Disclosure Power Automate For Desktop
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2025-29817 MEDIUM This Month

Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Power Automate For Desktop
NVD
CVSS 3.1
5.7
EPSS
1.1%
CVE-2025-21187 HIGH This Month

Microsoft Power Automate Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Microsoft Power Automate For Desktop
NVD
CVSS 3.1
7.8
EPSS
0.5%
EPSS 0% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network.

Information Disclosure Power Automate For Desktop
NVD VulDB
EPSS 2% CVSS 9.8
CRITICAL Act Now

Critical information disclosure vulnerability in Microsoft Power Automate that allows unauthenticated remote attackers to expose sensitive information and escalate privileges across a network without requiring user interaction. With a CVSS score of 9.8 and an unauthenticated attack vector, this vulnerability represents an immediate and severe risk to organizations using Power Automate; exploitation is likely being actively pursued given the severity metrics and network-accessible nature of the vulnerability.

Information Disclosure Power Automate For Desktop
NVD
EPSS 1% CVSS 5.7
MEDIUM This Month

Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Power Automate For Desktop
NVD
EPSS 0% CVSS 7.8
HIGH This Month

Microsoft Power Automate Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Microsoft +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy