Microsoft CVEs & Vulnerabilities

1.621 CVEs affecting Microsoft products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

1.621 CVEs→ All vendors

Most Affected Products

windows 1.168windows server 2012 286windows 11 26h1 242windows server 2025 242windows 11 25h2 235windows 11 24h2 235windows server 2022 225windows 11 23h2 218
CVE-2026-5874CRITICAL

Use after free in PrivateAI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

9 Apr 2026
9.6
CVSS
CVE-2026-5873HIGH

Out of bounds read and write in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
8.8
CVSS
CVE-2026-5872HIGH

Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
8.8
CVSS
CVE-2026-5871HIGH

Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
8.8
CVSS
CVE-2026-5870HIGH

Integer overflow in Skia in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
8.8
CVSS
CVE-2026-5869MEDIUM

Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
4.3
CVSS
CVE-2026-5867MEDIUM

Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
4.3
CVSS
CVE-2026-5866HIGH

Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
8.8
CVSS
CVE-2026-5865HIGH

Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
8.8
CVSS
CVE-2026-5864MEDIUM

Heap buffer overflow in WebAudio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
4.3
CVSS
CVE-2026-5863HIGH

Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
8.8
CVSS
CVE-2026-5862HIGH

Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
8.8
CVSS
CVE-2026-5861HIGH

Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
8.8
CVSS
CVE-2026-5860HIGH

Use after free in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

9 Apr 2026
8.8
CVSS
CVE-2026-5859HIGH

Integer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

9 Apr 2026
8.8
CVSS
CVE-2026-5858HIGH

Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)

9 Apr 2026
8.8
CVSS
CVE-2026-39844HIGH

NiceGUI is a Python-based UI framework. Prior to 3.10.0, Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename. Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. This vulnerability is fixed in 3.10.0.

9 Apr 2026
7.5
CVSS
CVE-2026-33107CRITICAL

Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.

3 Apr 2026
9.8
CVSS
CVE-2026-33105CRITICAL

Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.

3 Apr 2026
9.8
CVSS
CVE-2026-32213CRITICAL

Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.

3 Apr 2026
9.8
CVSS
CVE-2026-32211HIGH

Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network.

3 Apr 2026
7.5
CVSS
CVE-2026-32173HIGH

Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network.

3 Apr 2026
7.5
CVSS
CVE-2026-26135HIGH

Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network.

3 Apr 2026
8.8
CVSS
CVE-2026-1243MEDIUM

IBM Content Navigator 3.0.15, 3.1.0, and 3.2.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

2 Apr 2026
5.4
CVSS
CVE-2025-13916HIGH

IBM Aspera Shares 1.9.9 through 1.11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information

2 Apr 2026
7.5
CVSS
CVE-2026-5292HIGH

Out of bounds read in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

1 Apr 2026
8.8
CVSS
CVE-2026-5291MEDIUM

Inappropriate implementation in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

1 Apr 2026
6.5
CVSS
CVE-2026-5290CRITICAL

Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
9.6
CVSS
CVE-2026-5289CRITICAL

Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
9.6
CVSS
CVE-2026-5288CRITICAL

Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
9.6
CVSS
CVE-2026-5287HIGH

Use after free in PDF in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)

1 Apr 2026
8.8
CVSS
CVE-2026-5286HIGH

Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
8.8
CVSS
CVE-2026-5285HIGH

Use after free in WebGL in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
8.8
CVSS
CVE-2026-5284HIGH

Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
7.5
CVSS
CVE-2026-5283MEDIUM

Inappropriate implementation in ANGLE in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
6.5
CVSS
CVE-2026-5282HIGH

Out of bounds read in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
8.1
CVSS
CVE-2026-5281KEVHIGHin the wild

Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
8.8
CVSS
CVE-2026-5280HIGH

Use after free in WebCodecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
8.8
CVSS
CVE-2026-5279HIGH

Object corruption in V8 in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
8.8
CVSS
CVE-2026-5278HIGH

Use after free in Web MIDI in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
8.8
CVSS
CVE-2026-5277HIGH

Integer overflow in ANGLE in Google Chrome on Windows prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
7.5
CVSS
CVE-2026-5276MEDIUM

Insufficient policy enforcement in WebUSB in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
6.5
CVSS
CVE-2026-5275HIGH

Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
8.8
CVSS
CVE-2026-5274HIGH

Integer overflow in Codecs in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
8.8
CVSS
CVE-2026-5273MEDIUM

Use after free in CSS in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
6.3
CVSS
CVE-2026-5272HIGH

Heap buffer overflow in GPU in Google Chrome prior to 146.0.7680.178 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

1 Apr 2026
8.8
CVSS
CVE-2025-13855HIGH

IBM Storage Protect Server 8.2.0 IBM Storage Protect Plus Server is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.

1 Apr 2026
8.8
CVSS
CVE-2026-2123HIGH

A security audit identified a privilege escalation vulnerability in Operations Agent(<=OA 12.29) on Windows. Under specific conditions Operations Agent may run executables from specific writeable locations.Thanks to Manuel Rickli & Philippe Leiser of Oneconsult AG for reporting this vulnerability

31 Mar 2026
7.8
CVSS
← PrevPage 29 / 34Next →