Microsoft CVEs & Vulnerabilities

1.621 CVEs affecting Microsoft products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

1.621 CVEs→ All vendors

Most Affected Products

windows 1.168windows server 2012 286windows 11 26h1 242windows server 2025 242windows 11 25h2 235windows 11 24h2 235windows server 2022 225windows 11 23h2 218
CVE-2026-8526HIGH

Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.8
CVSS
CVE-2026-8524HIGH

Out of bounds write in WebAudio in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.8
CVSS
CVE-2026-8523HIGH

Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

14 May 2026
8.3
CVSS
CVE-2026-8521HIGH

Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)

14 May 2026
7.5
CVSS
CVE-2026-8520HIGH

Race in Payments in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.3
CVSS
CVE-2026-8519HIGH

Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.8
CVSS
CVE-2026-8518HIGH

Use after free in Blink in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.8
CVSS
CVE-2026-8516MEDIUM

Insufficient validation of untrusted input in DataTransfer in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
5.3
CVSS
CVE-2026-8515HIGH

Use after free in HID in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.3
CVSS
CVE-2026-8514HIGH

Use after free in Aura in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.3
CVSS
CVE-2026-8512HIGH

Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.3
CVSS
CVE-2026-8511CRITICAL

Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
9.6
CVSS
CVE-2026-8510HIGH

Integer overflow in Skia in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
7.5
CVSS
CVE-2026-8509HIGH

Heap buffer overflow in WebML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

14 May 2026
8.8
CVSS
CVE-2026-42897KEVMEDIUMin the wild

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

14 May 2026
6.1
CVSS
CVE-2026-41615HIGH

Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.

14 May 2026
7.4
CVSS
CVE-2026-34690HIGH

After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

12 May 2026
7.8
CVSS
CVE-2026-42899HIGH

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.

12 May 2026
7.5
CVSS
CVE-2026-42898CRITICAL

Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

12 May 2026
9.9
CVSS
CVE-2026-42896HIGH

Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-42893HIGH

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network.

12 May 2026
7.5
CVSS
CVE-2026-42891MEDIUM

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

12 May 2026
6.5
CVSS
CVE-2026-42838MEDIUM

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.

12 May 2026
5.4
CVSS
CVE-2026-42833CRITICAL

Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

12 May 2026
9.1
CVSS
CVE-2026-42832MEDIUM

Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.

12 May 2026
5.5
CVSS
CVE-2026-42831HIGH

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

12 May 2026
7.8
CVSS
CVE-2026-42830MEDIUM

Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.

12 May 2026
6.5
CVSS
CVE-2026-42825HIGH

Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.

12 May 2026
7.0
CVSS
CVE-2026-42823CRITICAL

Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.

12 May 2026
9.9
CVSS
CVE-2026-41614MEDIUM

Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.

12 May 2026
6.2
CVSS
CVE-2026-41613HIGH

Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

12 May 2026
8.8
CVSS
CVE-2026-41612MEDIUM

Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.

12 May 2026
5.5
CVSS
CVE-2026-41611LOW

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

12 May 2026
3.3
CVSS
CVE-2026-41610MEDIUM

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

12 May 2026
5.0
CVSS
CVE-2026-41109HIGH

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.

12 May 2026
8.8
CVSS
CVE-2026-41107HIGH

External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.

12 May 2026
7.4
CVSS
CVE-2026-41103CRITICAL

Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.

12 May 2026
9.1
CVSS
CVE-2026-41102MEDIUM

Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.

12 May 2026
5.5
CVSS
CVE-2026-41101MEDIUM

Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.

12 May 2026
5.5
CVSS
CVE-2026-41100MEDIUM

Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.

12 May 2026
4.4
CVSS
CVE-2026-41097MEDIUM

Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.

12 May 2026
6.7
CVSS
CVE-2026-41096CRITICAL

Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.

12 May 2026
9.8
CVSS
CVE-2026-41095HIGH

Use after free in Data Deduplication allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-41094HIGH

Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.

12 May 2026
8.8
CVSS
CVE-2026-41089KEVCRITICALin the wild

Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.

12 May 2026
9.8
CVSS
CVE-2026-41088HIGH

External control of file name or path in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

12 May 2026
7.8
CVSS
CVE-2026-41086HIGH

Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

12 May 2026
8.8
CVSS
CVE-2026-40421MEDIUM

External control of file name or path in Microsoft Office Word allows an unauthorized attacker to disclose information over a network.

12 May 2026
4.3
CVSS
← PrevPage 20 / 34Next →