Total CVEs

131,518

Critical Severity

2,798

High Severity

10,013

Last 7 Days

1,134
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 2,661 - 2,680 of 27,923 CVEs
CVE-2026-42838 MEDIUM - 5.4

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: edge_chromium
Published: May 12, 2026
Source: NVD
CVE-2026-42833 CRITICAL - 9.1

Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.

Vendor: microsoft
Product: dynamics_365
Published: May 12, 2026
Source: NVD
CVE-2026-42832 HIGH - 7.7

Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.

Vendor: microsoft
Product: excel
Published: May 12, 2026
Source: NVD
CVE-2026-42831 HIGH - 7.8

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

Vendor: microsoft
Product: office
Published: May 12, 2026
Source: NVD
CVE-2026-42830 MEDIUM - 6.5

Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.

Vendor: microsoft
Product: azure_monitor_agent
Published: May 12, 2026
Source: NVD
CVE-2026-42825 HIGH - 7.0

Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.

Vendor: microsoft
Product: windows_10_1607
Published: May 12, 2026
Source: NVD
CVE-2026-42823 CRITICAL - 9.9

Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: azure_logic_apps
Published: May 12, 2026
Source: NVD
CVE-2026-42177 MEDIUM - 5.3

linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/*", i.e. "https://login.microsoftonline.com/*". Chrome...

Vendor: siemens
Product: linux-entra-sso
Published: May 12, 2026
Source: NVD
CVE-2026-42141 HIGH - 7.7

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability in the Xibo CMS allows users with Library upload permissions to make arbitrary HTTP requests fro...

Vendor: xibosignage
Product: xibo-cms
Published: May 12, 2026
Source: NVD
CVE-2026-41614 MEDIUM - 6.2

Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.

Vendor: microsoft
Product: 365_copilot
Published: May 12, 2026
Source: NVD
CVE-2026-41613 HIGH - 8.8

Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: visual_studio_code
Published: May 12, 2026
Source: NVD
CVE-2026-41612 MEDIUM - 5.5

Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.

Vendor: microsoft
Product: live_preview
Published: May 12, 2026
Source: NVD
CVE-2026-41611 HIGH - 7.8

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

Vendor: microsoft
Product: visual_studio_code
Published: May 12, 2026
Source: NVD
CVE-2026-41610 MEDIUM - 6.3

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

Vendor: microsoft
Product: visual_studio_code
Published: May 12, 2026
Source: NVD
CVE-2026-41513

Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects.

Vendor: horilla
Product: horilla-hr
Published: May 12, 2026
Source: NVD
CVE-2026-41109 HIGH - 8.8

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.

Vendor: microsoft
Product: visual_studio_code
Published: May 12, 2026
Source: NVD
CVE-2026-41107 HIGH - 7.4

External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.

Vendor: microsoft
Product: edge_chromium
Published: May 12, 2026
Source: NVD
CVE-2026-41103 CRITICAL - 9.1

Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.

Vendor: microsoft
Product: confluence_saml_sso
Published: May 12, 2026
Source: NVD
CVE-2026-41102 HIGH - 7.1

Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.

Vendor: microsoft
Product: powerpoint
Published: May 12, 2026
Source: NVD
CVE-2026-41101 HIGH - 7.1

Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.

Vendor: microsoft
Product: word
Published: May 12, 2026
Source: NVD