M

Microsoft Security Vulnerabilities (CVE)

Explore vulnerabilities and security advisories affecting Microsoft products.

121 known CVE vulnerabilities tracked

Critical
12
High
79
Medium
28
Low
2
None
0

Vulnerabilities By Year

1
1997
1
2005
1
2008
5
2009
2
2010
4
2020
6
2021
37
2022
16
2023
1
2024
16
2025
31
2026

Products Affected

365 Apps 49 Windows 10 1607 7 .Net 5 Edge Chromium 4 Windows 10 4 Vp9 Video Extensions 3 Visual C\+\+ 3 365 Copilot 3 Windows 11 24H2 2 Malware Protection Engine 2 Partner Center 2 Windows 2000 2 Internet Explorer 2 365 Copilot Chat 2 Azure Managed Instance For Apache Cassandra 2 Teams 2 Office 2 Windows 10 21H2 2 Windows Admin Center 1 Defender Antimalware Platform 1 Azure Cosmos Db 1 Remote Desktop Connection 1 Directx 1 Excel 1 Paint 3D 1 Heif Image Extension 1 Azure Machine Learning 1 Azure Cloud Shell 1 Azure Ai Foundry 1 Azure Devops 1

All Microsoft CVEs

Recent Highest Score Oldest
CVE-2026-45584
8.1 high

Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.

Malware Protection Engine May 20, 2026
CVE-2026-45498
4.0 medium

Microsoft Defender Denial of Service Vulnerability

Defender Antimalware Platform May 20, 2026
CVE-2026-42834
7.8 high

Improper link resolution before file access ('link following') in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.

Windows Admin Center May 20, 2026
CVE-2026-41091
7.8 high

Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.

Malware Protection Engine May 20, 2026
CVE-2026-45585
6.8 medium

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can

Windows 11 24H2 May 20, 2026
CVE-2026-45495
8.8 high

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Edge Chromium May 18, 2026
CVE-2026-45494
5.4 medium

Microsoft Edge (Chromium-based) Spoofing Vulnerability

Edge Chromium May 18, 2026
CVE-2026-45492
5.4 medium

Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.

Edge Chromium May 18, 2026
CVE-2026-42897
8.1 high

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Exchange Server May 14, 2026
CVE-2026-41615
9.6 critical

Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.

Authenticator May 14, 2026
CVE-2026-21530
6.7 medium

Double free in Windows Rich Text Edit allows an authorized attacker to elevate privileges locally.

Windows 10 1607 May 12, 2026
CVE-2026-42826
10.0 critical

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

Azure Devops May 7, 2026
CVE-2026-35435
8.6 high

Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.

Azure Ai Foundry May 7, 2026
CVE-2026-35428
9.6 critical

Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.

Azure Cloud Shell May 7, 2026
CVE-2026-34327
8.2 high

Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.

Partner Center May 7, 2026
CVE-2026-33844
9.0 critical

Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

Azure Managed Instance For Apache Cassandra May 7, 2026
CVE-2026-33823
9.6 critical

Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network.

Teams May 7, 2026
CVE-2026-33109
9.9 critical

Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

Azure Managed Instance For Apache Cassandra May 7, 2026
CVE-2026-32207
8.8 high

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

Azure Machine Learning May 7, 2026
CVE-2026-26164
7.5 high

Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

365 Copilot Chat May 7, 2026
CVE-2026-26129
7.5 high

Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network.

365 Copilot Chat May 7, 2026
CVE-2026-32223
6.8 medium

Heap-based buffer overflow in Windows USB Print Driver allows an unauthorized attacker to elevate privileges with a physical attack.

Windows 11 24H2 Apr 14, 2026
CVE-2026-32202
4.3 medium

Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.

Windows 10 1607 Apr 14, 2026
CVE-2026-32181
5.5 medium

Improper privilege management in Microsoft Windows allows an authorized attacker to deny service locally.

Windows 10 21H2 Apr 14, 2026