Export limit exceeded: 24914 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (24914 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40416 | 1 Microsoft | 1 Edge Chromium | 2026-05-18 | 4.3 Medium |
| User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-44503 | 1 Microsoft | 6 Kiota-abstractions, Kiota-http, Kiota-http-go and 3 more | 2026-05-17 | N/A |
| The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target. | ||||
| CVE-2026-41615 | 1 Microsoft | 3 Authenticator, Authenticator For Android, Authenticator For Ios | 2026-05-17 | 9.6 Critical |
| Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-44641 | 1 Microsoft | 1 Apm | 2026-05-17 | 7.1 High |
| Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A malicious plugin can therefore use absolute paths or ../ traversal paths to copy arbitrary readable host files or directories from the installer's machine during apm install. This vulnerability is fixed in 0.8.12. | ||||
| CVE-2026-45539 | 1 Microsoft | 1 Apm | 2026-05-17 | 7.4 High |
| Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob() / Path.rglob() calls and read each match with Path.read_text(), transparently following symbolic links. A symlink committed inside a remote APM dependency under .apm/prompts/<x>.prompt.md or .apm/agents/<x>.agent.md is preserved verbatim into apm_modules/ on clone and then dereferenced during integration, with the resolved content written as a regular file into the project's deploy directories. The package content_hash, the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated .gitignore, so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0. | ||||
| CVE-2026-46383 | 1 Microsoft | 1 Apm | 2026-05-17 | 5.5 Medium |
| Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install <bundle> on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a legacy --format apm bundle. On Python versions earlier than 3.12, that probe extracts untrusted tar members with raw tar.extractall() without rejecting Windows absolute member names such as D:/.... This vulnerability is fixed in 0.13.0. | ||||
| CVE-2026-41101 | 1 Microsoft | 2 Word, Word For Android | 2026-05-16 | 7.1 High |
| Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally. | ||||
| CVE-2026-41103 | 1 Microsoft | 4 Confluence Saml Sso, Confluence Saml Sso Plugin, Jira Saml Sso and 1 more | 2026-05-16 | 9.1 Critical |
| Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-41094 | 1 Microsoft | 2 Data Formulator, Data Formulator | 2026-05-16 | 8.8 High |
| Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2026-41086 | 1 Microsoft | 2 Azure Portal Windows Admin Center, Windows Admin Center | 2026-05-15 | 8.8 High |
| Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-33821 | 1 Microsoft | 2 Dynamics 365, Dynamics 365 Customer Insights | 2026-05-15 | 7.7 High |
| Improper privilege management in Microsoft Dynamics 365 Customer Insights allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-41089 | 1 Microsoft | 15 Windows Server 2012, Windows Server 2012 (server Core Installation), Windows Server 2012 R2 and 12 more | 2026-05-15 | 9.8 Critical |
| Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2026-41095 | 1 Microsoft | 14 Windows Server 2012, Windows Server 2012 R2, Windows Server 2012 R2 and 11 more | 2026-05-15 | 7.8 High |
| Use after free in Data Deduplication allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-41096 | 1 Microsoft | 15 Windows 11 22h3, Windows 11 23h2, Windows 11 23h2 and 12 more | 2026-05-15 | 9.8 Critical |
| Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network. | ||||
| CVE-2026-41097 | 1 Microsoft | 22 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 19 more | 2026-05-15 | 6.7 Medium |
| Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2026-40382 | 1 Microsoft | 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more | 2026-05-15 | 7.8 High |
| Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-41107 | 1 Microsoft | 1 Edge Chromium | 2026-05-15 | 7.4 High |
| External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-40398 | 1 Microsoft | 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more | 2026-05-15 | 7.8 High |
| Heap-based buffer overflow in Windows Remote Desktop allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-40402 | 1 Microsoft | 4 Windows 11 22h3, Windows 11 23h2, Windows 11 23h2 and 1 more | 2026-05-15 | 9.3 Critical |
| Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally. | ||||
| CVE-2026-40403 | 1 Microsoft | 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more | 2026-05-15 | 8.8 High |
| Heap-based buffer overflow in Windows Win32K - GRFX allows an authorized attacker to execute code locally. | ||||