Filtered by vendor Microsoft Subscriptions
Total 24915 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2007-3109 1 Microsoft 2 Frontpage, Office 2026-04-23 N/A
The CERN Image Map Dispatcher (htimage.exe) in Microsoft FrontPage allows remote attackers to determine the existence, and possibly partial contents, of arbitrary files under the web root via a relative pathname in the PATH_INFO.
CVE-2007-1114 1 Microsoft 1 Ie 2026-04-23 N/A
The child frames in Microsoft Internet Explorer 7 inherit the default charset from the parent window when a charset is not specified in an HTTP Content-Type header or META tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set.
CVE-2007-1763 1 Microsoft 1 Windows Vista 2026-04-23 N/A
The ATI kernel driver (atikmdag.sys) in Microsoft Windows Vista allows user-assisted remote attackers to cause a denial of service (crash) via a crafted JPG image, as demonstrated by a slideshow, possibly due to a buffer overflow.
CVE-2009-1808 1 Microsoft 1 Windows Xp 2026-04-23 N/A
Microsoft Windows XP SP3 allows local users to cause a denial of service (system crash) by making an SPI_SETDESKWALLPAPER SystemParametersInfo call with an improperly terminated pvParam argument, followed by an SPI_GETDESKWALLPAPER SystemParametersInfo call.
CVE-2009-0369 1 Microsoft 1 Internet Explorer 2026-04-23 N/A
Microsoft Internet Explorer 7 allows remote attackers to trick a user into visiting an arbitrary URL via an onclick action that moves a crafted element to the current mouse position, related to a "Clickjacking" vulnerability.
CVE-2026-34617 3 Adobe, Apple, Microsoft 5 Adobe Connect, Connect, Connect Desktop Application and 2 more 2026-04-22 8.7 High
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. A low-privileged attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
CVE-2026-34614 3 Adobe, Apple, Microsoft 5 Adobe Connect, Connect, Connect Desktop Application and 2 more 2026-04-22 6.1 Medium
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
CVE-2026-21331 3 Adobe, Apple, Microsoft 5 Adobe Connect, Connect, Connect Desktop Application and 2 more 2026-04-22 6.1 Medium
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.
CVE-2026-25185 1 Microsoft 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more 2026-04-22 5.3 Medium
Exposure of sensitive information to an unauthorized actor in Windows Shell Link Processing allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-25178 1 Microsoft 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more 2026-04-22 7 High
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-25174 1 Microsoft 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more 2026-04-22 7.8 High
Out-of-bounds read in Windows Extensible File Allocation allows an authorized attacker to elevate privileges locally.
CVE-2026-25170 1 Microsoft 15 Windows 11 22h3, Windows 11 23h2, Windows 11 23h2 and 12 more 2026-04-22 7 High
Use after free in Windows Hyper-V allows an authorized attacker to elevate privileges locally.
CVE-2026-25166 1 Microsoft 21 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 18 more 2026-04-22 7.8 High
Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally.
CVE-2026-24295 1 Microsoft 25 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 22 more 2026-04-22 7 High
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Device Association Service allows an authorized attacker to elevate privileges locally.
CVE-2026-24291 1 Microsoft 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more 2026-04-22 7.8 High
Incorrect permission assignment for critical resource in Windows Accessibility Infrastructure (ATBroker.exe) allows an authorized attacker to elevate privileges locally.
CVE-2026-24287 1 Microsoft 22 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 19 more 2026-04-22 7.8 High
External control of file name or path in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2026-23669 1 Microsoft 30 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 27 more 2026-04-22 8.8 High
Use after free in RPC Runtime allows an authorized attacker to execute code over a network.
CVE-2026-35603 3 Anthropic, Anthropics, Microsoft 3 Claude Code, Claude Code, Windows 2026-04-22 7.3 High
Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75.
CVE-2014-4113 1 Microsoft 9 Windows 7, Windows 8, Windows 8.1 and 6 more 2026-04-22 7.8 High
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability."
CVE-2014-4114 1 Microsoft 8 Windows 7, Windows 8, Windows 8.1 and 5 more 2026-04-22 7.8 High
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document, as exploited in the wild with a "Sandworm" attack in June through October 2014, aka "Windows OLE Remote Code Execution Vulnerability."