Microsoft CVEs & Vulnerabilities

1.621 CVEs affecting Microsoft products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

1.621 CVEs→ All vendors

Most Affected Products

windows 1.168windows server 2012 286windows 11 26h1 242windows server 2025 242windows 11 25h2 235windows 11 24h2 235windows server 2022 225windows 11 23h2 218
CVE-2026-9891CRITICAL

Use after free in Extensions in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Critical)

29 May 2026
9.0
CVSS
CVE-2026-9890HIGH

Use after free in XR in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

29 May 2026
8.3
CVSS
CVE-2026-9887HIGH

Use after free in Proxy in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted PAC script. (Chromium security severity: Critical)

29 May 2026
8.8
CVSS
CVE-2026-9883HIGH

Use after free in Base in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

29 May 2026
8.8
CVSS
CVE-2026-9882MEDIUM

Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Critical)

29 May 2026
6.5
CVSS
CVE-2026-9880HIGH

Insufficient validation of untrusted input in WebGL in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

29 May 2026
8.3
CVSS
CVE-2026-9879HIGH

Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

29 May 2026
8.8
CVSS
CVE-2026-9878HIGH

Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

29 May 2026
8.8
CVSS
CVE-2026-9877HIGH

Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

29 May 2026
8.3
CVSS
CVE-2026-9874CRITICAL

Use after free in Dawn in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

29 May 2026
9.6
CVSS
CVE-2026-9873HIGH

Use after free in Network in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

29 May 2026
8.8
CVSS
CVE-2026-10022HIGH

Type Confusion in V8 in Google Chrome prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Medium)

29 May 2026
8.8
CVSS
CVE-2026-10021HIGH

Insufficient validation of untrusted input in USB in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)

29 May 2026
8.8
CVSS
CVE-2026-10019HIGH

Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

29 May 2026
8.8
CVSS
CVE-2026-10018MEDIUM

Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

29 May 2026
6.5
CVSS
CVE-2026-10016HIGH

Use after free in DOM in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

29 May 2026
8.8
CVSS
CVE-2026-10015HIGH

Integer overflow in WTF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

29 May 2026
8.8
CVSS
CVE-2026-10013HIGH

Use after free in WebCodecs in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

29 May 2026
8.8
CVSS
CVE-2026-10012HIGH

Use after free in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

29 May 2026
8.3
CVSS
CVE-2026-10009HIGH

Integer overflow in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

29 May 2026
7.5
CVSS
CVE-2026-10007HIGH

Use after free in SVG in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

29 May 2026
8.8
CVSS
CVE-2026-10006HIGH

Race in WebAudio in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

29 May 2026
7.5
CVSS
CVE-2026-10004MEDIUM

Insufficient validation of untrusted input in Passwords in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)

29 May 2026
6.5
CVSS
CVE-2026-10003HIGH

Use after free in Views in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

29 May 2026
7.5
CVSS
CVE-2026-10002HIGH

Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High)

29 May 2026
8.8
CVSS
CVE-2026-10001HIGH

Use after free in PerformanceManager in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

29 May 2026
8.3
CVSS
CVE-2026-10000HIGH

Use after free in Passwords in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

29 May 2026
8.3
CVSS
CVE-2026-6053MEDIUM

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when a specially crafted query is run with range partitioned tables.

27 May 2026
5.5
CVSS
CVE-2026-6052HIGH

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to running out of memory when executing certain queries with MDC tables.

27 May 2026
7.5
CVSS
CVE-2026-6051HIGH

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when executing a specially crafted query with a small statement heap.

27 May 2026
7.5
CVSS
CVE-2026-8856CRITICAL

IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration.

26 May 2026
9.1
CVSS
CVE-2026-8855CRITICAL

IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).

26 May 2026
9.8
CVSS
CVE-2026-8854HIGH

IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.

26 May 2026
7.5
CVSS
CVE-2026-8835HIGH

IBM HTTP Server 8.5, and 9.0 is vulnerable to invalid pointer dereference. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to expose sensitive information or cause a denial of service.

26 May 2026
7.3
CVSS
CVE-2026-8834HIGH

IBM HTTP Server 8.5, and 9.0 contains a buffer overflow vulnerability. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to execute remote code or cause a denial of service.

26 May 2026
8.0
CVSS
CVE-2026-8852HIGH

IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module.

26 May 2026
7.5
CVSS
CVE-2026-8850HIGH

IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_ibm_upload.

26 May 2026
7.5
CVSS
CVE-2026-47280CRITICAL

Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.

23 May 2026
9.8
CVSS
CVE-2026-45659KEVHIGHin the wild

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

23 May 2026
8.8
CVSS
CVE-2026-42901CRITICAL

Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.

23 May 2026
10.0
CVSS
CVE-2026-42827HIGH

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

23 May 2026
7.5
CVSS
CVE-2026-41104HIGH

Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network.

23 May 2026
7.5
CVSS
CVE-2026-41090CRITICAL

Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.

23 May 2026
9.3
CVSS
CVE-2026-40412CRITICAL

Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network.

23 May 2026
9.8
CVSS
CVE-2026-40411HIGH

Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.

23 May 2026
8.8
CVSS
CVE-2026-35430HIGH

Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized attacker to elevate privileges over a network.

23 May 2026
8.8
CVSS
CVE-2026-33843CRITICAL

Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network.

23 May 2026
9.8
CVSS
CVE-2026-26147HIGH

Improper input validation in Azure Compute Gallery allows an authorized attacker to disclose information over a network.

23 May 2026
7.7
CVSS
← PrevPage 18 / 34Next →