Filtered by vendor Microsoft
Subscribe
Total
22861 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-21223 | 1 Microsoft | 1 Edge Chromium | 2026-02-03 | N/A | 5.1 MEDIUM |
| Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem. This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass. | |||||
| CVE-2026-23512 | 2 Microsoft, Sumatrapdfreader | 2 Windows, Sumatrapdf | 2026-02-03 | N/A | 8.6 HIGH |
| SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution. | |||||
| CVE-2026-21264 | 1 Microsoft | 1 Account | 2026-02-03 | N/A | 9.3 CRITICAL |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2026-21227 | 1 Microsoft | 1 Azure Logic Apps | 2026-02-03 | N/A | 8.2 HIGH |
| Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2026-21524 | 1 Microsoft | 1 Azure Data Explorer | 2026-02-03 | N/A | 7.4 HIGH |
| Exposure of sensitive information to an unauthorized actor in Azure Data Explorer allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2026-24305 | 1 Microsoft | 1 Entra Id | 2026-02-03 | N/A | 9.3 CRITICAL |
| Azure Entra ID Elevation of Privilege Vulnerability | |||||
| CVE-2025-12776 | 3 Commvault, Linux, Microsoft | 3 Commvault, Linux Kernel, Windows | 2026-02-02 | N/A | 5.4 MEDIUM |
| The Report Builder component of the application stores user input directly in a web page and displays it to other users, which raised concerns about a possible Cross-Site Scripting (XSS) attack. Proper management of this functionality helps ensure a secure and seamless user experience. Although the user input is not validated in the report creation, these scripts are not executed when the report is run by end users. The script is executed when the report is modified through the report builder by a user with edit permissions. The Report Builder is part of the WebConsole. The WebConsole package is currently end of life, and is no longer maintained. We strongly recommend against installing or using it in any production environment. However, if you choose to install it, for example, to access functionality like the Report Builder, it must be deployed within a fully isolated network that has no access to sensitive data or internet connectivity. This is a critical security precaution, as the retired package may contain unpatched vulnerabilities and is no longer supported with updates or fixes. | |||||
| CVE-2025-62224 | 1 Microsoft | 1 Edge | 2026-02-02 | N/A | 5.5 MEDIUM |
| User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an authorized attacker to perform spoofing over a network. | |||||
| CVE-2025-67825 | 2 Gonitro, Microsoft | 2 Nitro Pdf Pro, Windows | 2026-02-02 | N/A | 5.5 MEDIUM |
| An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34. In certain cases, it displays signer information from a non-verified PDF field rather than from the verified certificate subject. This could allow a document to present inconsistent signer details. The display logic was updated to ensure signer information consistently reflects the verified certificate identity. | |||||
| CVE-2026-21860 | 2 Microsoft, Palletsprojects | 2 Windows, Werkzeug | 2026-02-02 | N/A | 5.3 MEDIUM |
| Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. This issue has been patched in version 3.1.5. | |||||
| CVE-2025-33231 | 2 Microsoft, Nvidia | 2 Windows, Cuda Toolkit | 2026-02-02 | N/A | 6.7 MEDIUM |
| NVIDIA Nsight Systems for Windows contains a vulnerability in the application’s DLL loading mechanism where an attacker could cause an uncontrolled search path element by exploiting insecure DLL search paths. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service and information disclosure. | |||||
| CVE-2025-33229 | 2 Microsoft, Nvidia | 2 Windows, Cuda Toolkit | 2026-02-02 | N/A | 7.3 HIGH |
| NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. A successful exploit of this vulnerability may lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure. | |||||
| CVE-2026-21520 | 1 Microsoft | 1 Copilot Studio | 2026-02-02 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector | |||||
| CVE-2026-21521 | 1 Microsoft | 1 365 Word Copilot | 2026-02-02 | N/A | 7.4 HIGH |
| Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2025-66476 | 2 Microsoft, Vim | 2 Windows, Vim | 2026-01-30 | N/A | 7.8 HIGH |
| Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947. | |||||
| CVE-2025-13751 | 2 Microsoft, Openvpn | 2 Windows, Openvpn | 2026-01-30 | N/A | 5.5 MEDIUM |
| Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service. | |||||
| CVE-2026-0901 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-01-30 | N/A | 5.4 MEDIUM |
| Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2025-57836 | 2 Microsoft, Samsung | 2 Windows, Magician | 2026-01-30 | N/A | 7.8 HIGH |
| An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges. | |||||
| CVE-2026-0908 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-01-29 | N/A | 8.8 HIGH |
| Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) | |||||
| CVE-2026-0907 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-01-29 | N/A | 9.8 CRITICAL |
| Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | |||||