Filtered by vendor Microsoft
Subscribe
Total
22989 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-58315 | 2 Microsoft, Tosi | 2 Windows, Tosibox Key | 2026-01-16 | N/A | 7.8 HIGH |
|
Tosibox Key Service 3.3.0 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the service startup process by inserting malicious code in the system root path, enabling unauthorized code execution during application startup or system reboot.
|
|||||
| CVE-2025-64677 | 1 Microsoft | 1 Office Out-of-box Experience | 2026-01-16 | N/A | 8.2 HIGH |
|
Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.
|
|||||
| CVE-2025-64675 | 1 Microsoft | 1 Azure Cosmos Db | 2026-01-16 | N/A | 8.3 HIGH |
|
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.
|
|||||
| CVE-2026-21221 | 1 Microsoft | 3 Windows 11 24h2, Windows 11 25h2, Windows Server 2025 | 2026-01-16 | N/A | 7.0 HIGH |
|
Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2025-43491 | 2 Hp, Microsoft | 2 Poly Lens Desktop, Windows | 2026-01-16 | N/A | 9.8 CRITICAL |
|
A vulnerability in the Poly Lens Desktop application running on the Windows platform might allow modifications to the filesystem, which might lead to SYSTEM level privileges being granted.
|
|||||
| CVE-2026-20965 | 1 Microsoft | 1 Windows Admin Center | 2026-01-16 | N/A | 7.5 HIGH |
|
Improper verification of cryptographic signature in Windows Admin Center allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2026-20949 | 1 Microsoft | 2 365 Apps, Office Long Term Servicing Channel | 2026-01-16 | N/A | 7.8 HIGH |
|
Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.
|
|||||
| CVE-2026-20948 | 1 Microsoft | 5 365 Apps, Office, Office Long Term Servicing Channel and 2 more | 2026-01-16 | N/A | 7.8 HIGH |
|
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
|
|||||
| CVE-2026-20947 | 1 Microsoft | 1 Sharepoint Server | 2026-01-16 | N/A | 8.8 HIGH |
|
Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
|
|||||
| CVE-2026-20946 | 1 Microsoft | 4 365 Apps, Excel, Office and 1 more | 2026-01-16 | N/A | 7.8 HIGH |
|
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
|
|||||
| CVE-2026-20944 | 1 Microsoft | 2 365 Apps, Office Long Term Servicing Channel | 2026-01-16 | N/A | 8.4 HIGH |
|
Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to execute code locally.
|
|||||
| CVE-2026-20943 | 1 Microsoft | 3 Office, Office Deployment Tool, Sharepoint Server | 2026-01-16 | N/A | 7.0 HIGH |
|
Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally.
|
|||||
| CVE-2026-20941 | 1 Microsoft | 3 Windows 11 24h2, Windows 11 25h2, Windows Server 2025 | 2026-01-16 | N/A | 7.8 HIGH |
|
Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2026-20940 | 1 Microsoft | 10 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 7 more | 2026-01-16 | N/A | 7.8 HIGH |
|
Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2026-20939 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more | 2026-01-16 | N/A | 5.5 MEDIUM |
|
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
|
|||||
| CVE-2026-20938 | 1 Microsoft | 3 Windows 11 23h2, Windows 11 24h2, Windows 11 25h2 | 2026-01-16 | N/A | 7.8 HIGH |
|
Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2026-20937 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more | 2026-01-16 | N/A | 5.5 MEDIUM |
|
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
|
|||||
| CVE-2026-20936 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-01-16 | N/A | 4.3 MEDIUM |
|
Out-of-bounds read in Windows NDIS allows an authorized attacker to disclose information with a physical attack.
|
|||||
| CVE-2026-20935 | 1 Microsoft | 3 Windows 11 23h2, Windows 11 24h2, Windows 11 25h2 | 2026-01-16 | N/A | 6.2 MEDIUM |
|
Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an unauthorized attacker to disclose information locally.
|
|||||
| CVE-2026-20934 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-01-16 | N/A | 7.5 HIGH |
|
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.
|
|||||
| CVE-2026-20932 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more | 2026-01-16 | N/A | 5.5 MEDIUM |
|
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.
|
|||||
| CVE-2026-20931 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-01-16 | N/A | 8.0 HIGH |
|
External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network.
|
|||||
| CVE-2026-20929 | 1 Microsoft | 11 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 8 more | 2026-01-16 | N/A | 7.5 HIGH |
|
Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network.
|
|||||
| CVE-2026-20927 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-01-16 | N/A | 5.3 MEDIUM |
|
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to deny service over a network.
|
|||||
| CVE-2026-20926 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-01-16 | N/A | 7.5 HIGH |
|
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.
|
|||||
| CVE-2026-20925 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-01-16 | N/A | 6.5 MEDIUM |
|
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
|
|||||
| CVE-2026-20924 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2026-01-16 | N/A | 7.8 HIGH |
|
Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2026-20803 | 1 Microsoft | 2 Sql Server 2022, Sql Server 2025 | 2026-01-16 | N/A | 7.2 HIGH |
|
Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network.
|
|||||
| CVE-2025-27489 | 1 Microsoft | 2 Azure Stack Hci 22h2, Azure Stack Hci 23h2 | 2026-01-16 | N/A | 7.8 HIGH |
|
Improper input validation in Azure Local allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2025-26628 | 1 Microsoft | 1 Azure Local Cluster | 2026-01-16 | N/A | 7.3 HIGH |
|
Insufficiently protected credentials in Azure Local Cluster allows an authorized attacker to disclose information locally.
|
|||||
| CVE-2025-25002 | 1 Microsoft | 1 Azure Local Cluster | 2026-01-16 | N/A | 6.8 MEDIUM |
|
Insertion of sensitive information into log file in Azure Local Cluster allows an authorized attacker to disclose information over an adjacent network.
|
|||||
| CVE-2025-65037 | 1 Microsoft | 1 Azure Container Apps | 2026-01-15 | N/A | 10.0 CRITICAL |
|
Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
|
|||||
| CVE-2026-20873 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2026-01-15 | N/A | 7.8 HIGH |
|
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2026-20874 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2026-01-15 | N/A | 7.8 HIGH |
|
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2026-20875 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-01-15 | N/A | 7.5 HIGH |
|
Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.
|
|||||
| CVE-2026-20876 | 1 Microsoft | 5 Windows 11 23h2, Windows 11 24h2, Windows 11 25h2 and 2 more | 2026-01-15 | N/A | 6.7 MEDIUM |
|
Heap-based buffer overflow in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2026-20877 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2026-01-15 | N/A | 7.8 HIGH |
|
Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2026-20918 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2026-01-15 | N/A | 7.8 HIGH |
|
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2026-20919 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-01-15 | N/A | 7.5 HIGH |
|
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network.
|
|||||
| CVE-2026-20920 | 1 Microsoft | 3 Windows 11 23h2, Windows Server 2022, Windows Server 2022 23h2 | 2026-01-15 | N/A | 7.8 HIGH |
|
Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.
|
|||||