| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access control policies are applied, potentially triggering command handling from blocked senders depending on operator configuration. |
| Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network. |
| Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. |
| On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix and implementing the changes in your Exchange Server and hybrid environment. |
| Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. |
| Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally. |
| Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. |
| Access of resource using incompatible type ('type confusion') in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. |
| Use after free in Windows SDK allows an authorized attacker to elevate privileges locally. |
| Exposure of sensitive information to an unauthorized actor in Microsoft Exchange Server allows an unauthorized attacker to disclose information over a network. |
| Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally. |
| Protection mechanism failure in Windows UEFI allows an authorized attacker to bypass a security feature locally. |
| Improper input validation in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. |
| Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges locally. |
| Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. |
| Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. |
| Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption). |
| VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations. |
