A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption o...

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 throu...

A improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow attacker to improper access control via <insert attack vector here>

Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user (any role) to execute arbitrary SQL and read data from any table in the database, including data belonging to o...

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.

Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.

linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/*", i.e. "https://login.microsoftonline.com/*". Chrome...

Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.

Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.

Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.

External control of file name or path in Microsoft Office Word allows an unauthorized attacker to disclose information over a network.

User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

Heap-based buffer overflow in Volume Manager Extension Driver allows an authorized attacker to execute code with a physical attack.

Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network.

Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.

Out-of-bounds read in Telnet Client allows an unauthorized attacker to disclose information over a network.