Microsoft CVEs & Vulnerabilities

1.621 CVEs affecting Microsoft products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

1.621 CVEs→ All vendors

Most Affected Products

windows 1.168windows server 2012 286windows 11 26h1 242windows server 2025 242windows 11 25h2 235windows 11 24h2 235windows server 2022 225windows 11 23h2 218
CVE-2026-23663HIGH

Improper privilege management in Azure Entra ID allows an unauthorized attacker to elevate privileges over a network.

23 May 2026
7.5
CVSS
CVE-2026-23652CRITICAL

Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network.

23 May 2026
9.8
CVSS
CVE-2026-8992HIGH

An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.

22 May 2026
8.8
CVSS
CVE-2026-9126HIGH

Use after free in DOM in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

20 May 2026
8.8
CVSS
CVE-2026-9124MEDIUM

Insufficient validation of untrusted input in Input in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

20 May 2026
5.3
CVSS
CVE-2026-9121HIGH

Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

20 May 2026
8.8
CVSS
CVE-2026-9120HIGH

Use after free in WebRTC in Google Chrome prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

20 May 2026
8.8
CVSS
CVE-2026-9119HIGH

Heap buffer overflow in WebRTC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

20 May 2026
8.8
CVSS
CVE-2026-9118HIGH

Use after free in XR in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

20 May 2026
8.8
CVSS
CVE-2026-9116MEDIUM

Insufficient policy enforcement in ServiceWorker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

20 May 2026
4.3
CVSS
CVE-2026-9115MEDIUM

Insufficient policy enforcement in Service Worker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

20 May 2026
4.3
CVSS
CVE-2026-9114HIGH

Use after free in QUIC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium security severity: High)

20 May 2026
8.8
CVSS
CVE-2026-9113MEDIUM

Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

20 May 2026
4.3
CVSS
CVE-2026-9112HIGH

Use after free in GPU in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

20 May 2026
8.8
CVSS
CVE-2026-9111HIGH

Use after free in WebRTC in Google Chrome on Linux prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

20 May 2026
8.8
CVSS
CVE-2026-9110MEDIUM

Inappropriate implementation in UI in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Critical)

20 May 2026
4.2
CVSS
CVE-2026-2813MEDIUM

ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulting in a limited confidentiality impact under specific user interaction conditions. The vulnerability affects only the client side navigation logic during authentication and remains confined to the same security boundary. No server side compromise or cross component impact is possible.  This issue affects ArcGIS Server 11.5.

20 May 2026
4.1
CVSS
CVE-2026-2812MEDIUM

ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This issue affects ArcGIS Server 12.0 and earlier.

20 May 2026
5.3
CVSS
CVE-2026-45584HIGH

Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.

20 May 2026
8.1
CVSS
CVE-2026-42834HIGH

Improper link resolution before file access ('link following') in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.

20 May 2026
7.8
CVSS
CVE-2026-41091KEVHIGHin the wild

Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.

20 May 2026
7.8
CVSS
CVE-2026-45498KEVHIGHin the wild

Microsoft Defender Denial of Service Vulnerability

20 May 2026
7.5
CVSS
CVE-2026-45585MEDIUM

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. Mitigation FAQs Should I leverage the temporary mitigation? Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization’s employees take their work devices home or on business travel. What impact to service availability/management could be caused by implementing the mitigations? Implementing these mitigations will not impact service availability or management operations. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? No. The security update will maintain the mitigation's behavior once the security update is installed. I am using TPM+PIN, am I at risk of this vulnerability being exploited No, if you are using TPM+PIN the vulnerability is not exploitable.

20 May 2026
6.8
CVSS
CVE-2026-45495CRITICAL

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

18 May 2026
9.8
CVSS
CVE-2026-45494MEDIUM

Microsoft Edge (Chromium-based) Spoofing Vulnerability

18 May 2026
6.1
CVSS
CVE-2026-45492MEDIUM

Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.

18 May 2026
5.4
CVSS
CVE-2026-42822CRITICAL

Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network.

18 May 2026
10.0
CVSS
CVE-2026-8574HIGH

Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

14 May 2026
8.3
CVSS
CVE-2026-8573HIGH

Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

14 May 2026
8.3
CVSS
CVE-2026-8567MEDIUM

Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Medium)

14 May 2026
4.3
CVSS
CVE-2026-8562MEDIUM

Side-channel information leakage in Navigation in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

14 May 2026
4.3
CVSS
CVE-2026-8561MEDIUM

Incorrect security UI in Fullscreen in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

14 May 2026
5.4
CVSS
CVE-2026-8559MEDIUM

Integer overflow in Internationalization in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

14 May 2026
4.3
CVSS
CVE-2026-8556LOW

Inappropriate implementation in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

14 May 2026
3.1
CVSS
CVE-2026-8555HIGH

Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.8
CVSS
CVE-2026-8554LOW

Type Confusion in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

14 May 2026
3.1
CVSS
CVE-2026-8550MEDIUM

Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

14 May 2026
6.5
CVSS
CVE-2026-8547HIGH

Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)

14 May 2026
7.5
CVSS
CVE-2026-8546MEDIUM

Out of bounds read in GPU in Google Chrome on Mac and Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

14 May 2026
5.3
CVSS
CVE-2026-8545LOW

Object corruption in Compositing in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

14 May 2026
3.1
CVSS
CVE-2026-8544HIGH

Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.8
CVSS
CVE-2026-8542HIGH

Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.3
CVSS
CVE-2026-8541MEDIUM

Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

14 May 2026
5.3
CVSS
CVE-2026-8531HIGH

Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.8
CVSS
CVE-2026-8530HIGH

Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.3
CVSS
CVE-2026-8529HIGH

Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)

14 May 2026
8.8
CVSS
CVE-2026-8528MEDIUM

Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass Site Isolation via a crafted HTML page. (Chromium security severity: High)

14 May 2026
4.3
CVSS
CVE-2026-8527HIGH

Insufficient validation of untrusted input in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.8
CVSS
← PrevPage 19 / 34Next →