Microsoft CVEs & Vulnerabilities

1.621 CVEs affecting Microsoft products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

1.621 CVEs→ All vendors

Most Affected Products

windows 1.168windows server 2012 286windows 11 26h1 242windows server 2025 242windows 11 25h2 235windows 11 24h2 235windows server 2022 225windows 11 23h2 218
CVE-2026-32172HIGH

Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.

24 Apr 2026
8.0
CVSS
CVE-2026-26150CRITICAL

Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.

24 Apr 2026
10.0
CVSS
CVE-2026-24303CRITICAL

Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.

24 Apr 2026
9.6
CVSS
CVE-2026-6921HIGH

Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

23 Apr 2026
8.3
CVSS
CVE-2026-6920CRITICAL

Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

23 Apr 2026
9.6
CVSS
CVE-2026-6919CRITICAL

Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

23 Apr 2026
9.6
CVSS
CVE-2026-40372CRITICAL

Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.

21 Apr 2026
9.1
CVSS
CVE-2025-1241MEDIUM

Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data.

21 Apr 2026
4.9
CVSS
CVE-2026-35603HIGH

Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.

18 Apr 2026
7.3
CVSS
CVE-2026-6318HIGH

Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

15 Apr 2026
8.8
CVSS
CVE-2026-6317HIGH

Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.8
CVSS
CVE-2026-6316HIGH

Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.8
CVSS
CVE-2026-6314HIGH

Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.3
CVSS
CVE-2026-6313LOW

Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
3.1
CVSS
CVE-2026-6312LOW

Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
3.1
CVSS
CVE-2026-6311HIGH

Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.3
CVSS
CVE-2026-6310HIGH

Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.3
CVSS
CVE-2026-6309HIGH

Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.3
CVSS
CVE-2026-6308HIGH

Out of bounds read in Media in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
7.5
CVSS
CVE-2026-6307HIGH

Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.8
CVSS
CVE-2026-6306HIGH

Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

15 Apr 2026
8.8
CVSS
CVE-2026-6305HIGH

Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

15 Apr 2026
8.8
CVSS
CVE-2026-6304HIGH

Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.3
CVSS
CVE-2026-6303HIGH

Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.8
CVSS
CVE-2026-6302HIGH

Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.8
CVSS
CVE-2026-6301HIGH

Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.8
CVSS
CVE-2026-6300HIGH

Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

15 Apr 2026
8.8
CVSS
CVE-2026-6299HIGH

Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

15 Apr 2026
8.8
CVSS
CVE-2026-6298MEDIUM

Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Critical)

15 Apr 2026
4.3
CVSS
CVE-2026-6297HIGH

Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

15 Apr 2026
8.3
CVSS
CVE-2026-6296CRITICAL

Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

15 Apr 2026
9.6
CVSS
CVE-2026-27301MEDIUM

Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
5.5
CVSS
CVE-2026-27300MEDIUM

Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
5.5
CVSS
CVE-2026-27299MEDIUM

Adobe Framemaker versions 2022.8 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to access sensitive files or data on the system. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
6.3
CVSS
CVE-2026-27298HIGH

Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
7.8
CVSS
CVE-2026-27297HIGH

Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
7.8
CVSS
CVE-2026-27296HIGH

Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
7.8
CVSS
CVE-2026-27295HIGH

Adobe Framemaker versions 2022.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
7.8
CVSS
CVE-2026-27294HIGH

Adobe Framemaker versions 2022.8 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
7.8
CVSS
CVE-2026-27293HIGH

Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
7.8
CVSS
CVE-2026-27292HIGH

Adobe Framemaker versions 2022.8 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
7.8
CVSS
CVE-2026-27290HIGH

Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction.

15 Apr 2026
8.6
CVSS
CVE-2026-34631HIGH

InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
7.8
CVSS
CVE-2026-27287HIGH

InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

15 Apr 2026
7.8
CVSS
CVE-2026-34630HIGH

Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

14 Apr 2026
7.8
CVSS
CVE-2026-34618HIGH

Illustrator versions 30.2, 29.8.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

14 Apr 2026
7.8
CVSS
CVE-2026-27313HIGH

Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

14 Apr 2026
7.8
CVSS
CVE-2026-27312HIGH

Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

14 Apr 2026
7.8
CVSS
← PrevPage 26 / 34Next →