Filtered by vendor Microsoft
Subscribe
Total
23283 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-21509 | 1 Microsoft | 3 365 Apps, Office, Office Long Term Servicing Channel | 2026-02-11 | N/A | 7.8 HIGH |
| Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. | |||||
| CVE-2025-64676 | 1 Microsoft | 1 Purview | 2026-02-10 | N/A | 7.2 HIGH |
| '.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-59282 | 1 Microsoft | 16 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 13 more | 2026-02-10 | N/A | 7.0 HIGH |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Inbox COM Objects allows an unauthorized attacker to execute code locally. | |||||
| CVE-2025-58740 | 2 Microsoft, Milner | 2 Windows, Imagedirector Capture | 2026-02-10 | N/A | 5.5 MEDIUM |
| The use of a hard-coded encryption key in calls to the Password function in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows a local attacker to decrypt database credentials by reading the cryptographic key from the executable. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. | |||||
| CVE-2025-58742 | 2 Microsoft, Milner | 2 Windows, Imagedirector Capture | 2026-02-10 | N/A | 5.9 MEDIUM |
| Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle (AiTM) by modifying the 'Server' field to redirect client authentication.This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. | |||||
| CVE-2025-58744 | 2 Microsoft, Milner | 2 Windows, Imagedirector Capture | 2026-02-10 | N/A | 7.5 HIGH |
| Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | |||||
| CVE-2025-58743 | 2 Microsoft, Milner | 2 Windows, Imagedirector Capture | 2026-02-10 | N/A | 7.5 HIGH |
| Use of a Broken or Risky Cryptographic Algorithm (DES) vulnerability in the Password class in C2SConnections.dll in Milner ImageDirector Capture on Windows allows Encryption Brute Forcing to obtain database credentials.This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | |||||
| CVE-2026-20868 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-02-10 | N/A | 8.8 HIGH |
| Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | |||||
| CVE-2026-21219 | 1 Microsoft | 1 Windows Software Development Kit | 2026-02-09 | N/A | 7.0 HIGH |
| Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | |||||
| CVE-2026-24888 | 1 Microsoft | 1 Maker.js | 2026-02-09 | N/A | 6.5 MEDIUM |
| Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2. | |||||
| CVE-2022-46763 | 2 Microsoft, Trueconf | 2 Windows, Server | 2026-02-09 | N/A | 8.8 HIGH |
| A SQL injection issue in a database stored function in TrueConf Server 5.2.0.10225 (fixed in 5.2.6.10025) allows a low-privileged database user to execute arbitrary SQL commands as the database administrator, resulting in execution of arbitrary code. | |||||
| CVE-2024-37385 | 2 Microsoft, Roundcube | 2 Windows, Webmail | 2026-02-06 | N/A | 9.8 CRITICAL |
| Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. | |||||
| CVE-2025-3500 | 2 Avast, Microsoft | 2 Antivirus, Windows | 2026-02-06 | N/A | 9.0 CRITICAL |
| Integer Overflow or Wraparound vulnerability in Avast Antivirus (25.1.981.6) on Windows allows Privilege Escalation.This issue affects Antivirus: from 25.1.981.6 before 25.3. | |||||
| CVE-2026-21226 | 1 Microsoft | 1 Azure Core Shared Client Library | 2026-02-05 | N/A | 7.5 HIGH |
| Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network. | |||||
| CVE-2026-23512 | 2 Microsoft, Sumatrapdfreader | 2 Windows, Sumatrapdf | 2026-02-03 | N/A | 8.6 HIGH |
| SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution. | |||||
| CVE-2026-21264 | 1 Microsoft | 1 Account | 2026-02-03 | N/A | 9.3 CRITICAL |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2026-21227 | 1 Microsoft | 1 Azure Logic Apps | 2026-02-03 | N/A | 8.2 HIGH |
| Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2026-21524 | 1 Microsoft | 1 Azure Data Explorer | 2026-02-03 | N/A | 7.4 HIGH |
| Exposure of sensitive information to an unauthorized actor in Azure Data Explorer allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2026-24305 | 1 Microsoft | 1 Entra Id | 2026-02-03 | N/A | 9.3 CRITICAL |
| Azure Entra ID Elevation of Privilege Vulnerability | |||||
| CVE-2025-12776 | 3 Commvault, Linux, Microsoft | 3 Commvault, Linux Kernel, Windows | 2026-02-02 | N/A | 5.4 MEDIUM |
| The Report Builder component of the application stores user input directly in a web page and displays it to other users, which raised concerns about a possible Cross-Site Scripting (XSS) attack. Proper management of this functionality helps ensure a secure and seamless user experience. Although the user input is not validated in the report creation, these scripts are not executed when the report is run by end users. The script is executed when the report is modified through the report builder by a user with edit permissions. The Report Builder is part of the WebConsole. The WebConsole package is currently end of life, and is no longer maintained. We strongly recommend against installing or using it in any production environment. However, if you choose to install it, for example, to access functionality like the Report Builder, it must be deployed within a fully isolated network that has no access to sensitive data or internet connectivity. This is a critical security precaution, as the retired package may contain unpatched vulnerabilities and is no longer supported with updates or fixes. | |||||