Filtered by vendor Microsoft
Subscriptions
Total
23035 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0386 | 1 Microsoft | 11 Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 Sp2 and 8 more | 2026-01-23 | 7.5 High |
| Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network. | ||||
| CVE-2026-21265 | 1 Microsoft | 20 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 17 more | 2026-01-23 | 6.4 Medium |
| Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system’s certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees. Certificate Authority (CA) Location Purpose Expiration Date Microsoft Corporation KEK CA 2011 KEK Signs updates to the DB and DBX 06/24/2026 Microsoft Corporation UEFI CA 2011 DB Signs 3rd party boot loaders, Option ROMs, etc. 06/27/2026 Microsoft Windows Production PCA 2011 DB Signs the Windows Boot Manager 10/19/2026 For more information see this CVE and Windows Secure Boot certificate expiration and CA updates. | ||||
| CVE-2026-20962 | 1 Microsoft | 16 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 13 more | 2026-01-23 | 4.4 Medium |
| Use of uninitialized resource in Dynamic Root of Trust for Measurement (DRTM) allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-54313 | 5 Alexghr, Homarr, Microsoft and 2 more | 8 Got-fetch, Homarr, Windows and 5 more | 2026-01-23 | 7.5 High |
| eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows. | ||||
| CVE-2026-0747 | 2 Devolutions, Microsoft | 2 Remote Desktop Manager, Windows | 2026-01-22 | 3.3 Low |
| Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing. | ||||
| CVE-2025-11178 | 2 Acronis, Microsoft | 2 True Image, Windows | 2026-01-22 | N/A |
| Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis True Image (Windows) before build 42386, Acronis True Image for Western Digital (Windows) before build 42636. | ||||
| CVE-2022-46764 | 2 Microsoft, Trueconf | 2 Windows, Server | 2026-01-21 | 9.8 Critical |
| A SQL injection issue in the web API in TrueConf Server 5.2.0.10225 (fixed in 5.2.6) allows remote unauthenticated attackers to execute arbitrary SQL commands, ultimately leading to remote code execution. | ||||
| CVE-2022-46763 | 2 Microsoft, Trueconf | 2 Windows, Server | 2026-01-21 | 8.8 High |
| A SQL injection issue in a database stored function in TrueConf Server 5.2.0.10225 (fixed in 5.2.6) allows a low-privileged database user to execute arbitrary SQL commands as the database administrator, resulting in execution of arbitrary code. | ||||
| CVE-2025-26627 | 1 Microsoft | 1 Azure Arc | 2026-01-20 | 7 High |
| Improper neutralization of special elements used in a command ('command injection') in Azure Arc allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-10215 | 2 Microsoft, Updf | 2 Windows, Updf | 2026-01-20 | 7.8 High |
| DLL search path hijacking vulnerability in the UPDF.exe executable for Windows version 1.8.5.0 allows attackers with local access to execute arbitrary code by placing a FREngine.dll file of their choice in the 'C:\Users\Public\AppData\Local\UPDF\FREngine\Bin64\' directory, which could lead to arbitrary code execution and persistence. | ||||
| CVE-2025-10198 | 2 Lizardbyte, Microsoft | 2 Sunshine, Windows | 2026-01-20 | 7.8 High |
| Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories. | ||||
| CVE-2026-0903 | 2 Google, Microsoft | 2 Chrome, Windows | 2026-01-20 | 5.4 Medium |
| Inappropriate implementation in Downloads in Google Chrome on Windows prior to 144.0.7559.59 allowed a remote attacker to bypass dangerous file type protections via a malicious file. (Chromium security severity: Medium) | ||||
| CVE-2021-47828 | 2 Microsoft, Weird Solutions | 2 Windows, Bootpturbo | 2026-01-19 | 7.8 High |
| BOOTP Turbo 2.0.0.1253 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to execute arbitrary code with elevated LocalSystem privileges during system startup or reboot. | ||||
| CVE-2025-63916 | 2 Luotengyuan, Microsoft | 2 Myscreentools, Windows | 2026-01-16 | 8.1 High |
| MyScreenTools v2.2.1.0 contains a critical OS command injection vulnerability in the GIF compression tool. The application fails to properly sanitize user-supplied file paths before passing them to cmd.exe, allowing attackers to execute arbitrary system commands with the privileges of the user running the application. The vulnerability exists in the CMD() function within GIFSicleTool\Form_gif_sicle_tool.cs, which constructs shell commands by concatenating unsanitized user input (file paths) and executes them via cmd.exe. | ||||
| CVE-2025-64663 | 1 Microsoft | 2 Azure Cognitive Service For Language, Azure Language | 2026-01-16 | 9.9 Critical |
| Custom Question Answering Elevation of Privilege Vulnerability | ||||
| CVE-2024-58315 | 2 Microsoft, Tosi | 2 Windows, Tosibox Key | 2026-01-16 | 7.8 High |
| Tosibox Key Service 3.3.0 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the service startup process by inserting malicious code in the system root path, enabling unauthorized code execution during application startup or system reboot. | ||||
| CVE-2022-50696 | 3 Linux, Microsoft, Sound4 | 23 Linux, Windows, Big Voice2 and 20 more | 2026-01-16 | 9.8 Critical |
| SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain hardcoded credentials embedded in server binaries that cannot be modified through normal device operations. Attackers can leverage these static credentials to gain unauthorized access to the device across Linux and Windows distributions without requiring user interaction. | ||||
| CVE-2025-64677 | 1 Microsoft | 2 Office Out-of-box Experience, Office Out Of-box Experience | 2026-01-16 | 8.2 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-64675 | 1 Microsoft | 2 Azure Cosmos Db, Cosmos Db | 2026-01-16 | 8.3 High |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-43491 | 2 Hp, Microsoft | 3 Poly Lens, Poly Lens Desktop, Windows | 2026-01-16 | 9.8 Critical |
| A vulnerability in the Poly Lens Desktop application running on the Windows platform might allow modifications to the filesystem, which might lead to SYSTEM level privileges being granted. | ||||