Filtered by vendor Microsoft
Subscriptions
Filtered by product Windows
Subscriptions
Total
9198 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49734 | 1 Microsoft | 23 Powershell, Windows, Windows 10 and 20 more | 2026-02-20 | 7 High |
| Improper restriction of communication channel to intended endpoints in Windows PowerShell allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2026-25228 | 2 Microsoft, Signalk | 3 Windows, Signal K Server, Signalk-server | 2026-02-20 | 5 Medium |
| Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3. | ||||
| CVE-2025-67707 | 3 Esri, Linux, Microsoft | 4 Arcgis Server, Linux, Linux Kernel and 1 more | 2026-02-20 | 5.6 Medium |
| ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation. | ||||
| CVE-2025-67706 | 3 Esri, Linux, Microsoft | 4 Arcgis Server, Linux, Linux Kernel and 1 more | 2026-02-19 | 5.6 Medium |
| ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation. | ||||
| CVE-2026-24413 | 2 Icinga, Microsoft | 2 Icinga, Windows | 2026-02-19 | 5.5 Medium |
| Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. | ||||
| CVE-2025-68154 | 2 Microsoft, Systeminformation | 2 Windows, Systeminformation | 2026-02-19 | 8.1 High |
| systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch. | ||||
| CVE-2025-53000 | 2 Jupyter, Microsoft | 2 Nbconvert, Windows | 2026-02-18 | 7.8 High |
| The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a Windows batch script, capable of arbitrary code execution. When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. This issue has been patched in version 7.17.0. | ||||
| CVE-2025-34350 | 2 Microsoft, Unform | 2 Windows, Server | 2026-02-18 | N/A |
| UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature’s 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the user-supplied 'pp' parameter, but it does so without enforcing authentication or restricting path inputs. As a result, an unauthenticated remote attacker can supply local filesystem paths to read arbitrary files accessible to the service account. On Windows deployments, providing a UNC path can also coerce the server into initiating outbound SMB authentication, potentially exposing NTLM credentials for offline cracking or relay. This issue may lead to sensitive information disclosure and, in some environments, enable further lateral movement. | ||||
| CVE-2020-37160 | 1 Microsoft | 1 Windows | 2026-02-17 | 6.2 Medium |
| SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. Local unprivileged users can exploit missing executable files and weak service configurations to create a new administrative user and gain complete system access. | ||||
| CVE-2025-62209 | 1 Microsoft | 24 Windows, Windows 10, Windows 10 1507 and 21 more | 2026-02-13 | 5.5 Medium |
| Insertion of sensitive information into log file in Windows License Manager allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-62208 | 1 Microsoft | 25 Windows, Windows 10, Windows 10 1507 and 22 more | 2026-02-13 | 5.5 Medium |
| Insertion of sensitive information into log file in Windows License Manager allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-60723 | 1 Microsoft | 21 Directx, Windows, Windows 10 and 18 more | 2026-02-13 | 6.3 Medium |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows DirectX allows an authorized attacker to deny service over a network. | ||||
| CVE-2025-60708 | 1 Microsoft | 22 Windows, Windows 10, Windows 10 1607 and 19 more | 2026-02-13 | 6.5 Medium |
| Untrusted pointer dereference in Storvsp.sys Driver allows an authorized attacker to deny service locally. | ||||
| CVE-2025-60706 | 1 Microsoft | 23 Hyper-v, Windows, Windows 10 and 20 more | 2026-02-13 | 5.5 Medium |
| Out-of-bounds read in Windows Hyper-V allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-59513 | 1 Microsoft | 25 Windows, Windows 10, Windows 10 1607 and 22 more | 2026-02-13 | 5.5 Medium |
| Out-of-bounds read in Windows Bluetooth RFCOM Protocol Driver allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-59510 | 1 Microsoft | 25 Remote, Windows, Windows 10 and 22 more | 2026-02-13 | 5.5 Medium |
| Improper link resolution before file access ('link following') in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to deny service locally. | ||||
| CVE-2025-59509 | 1 Microsoft | 20 Windows, Windows 10, Windows 10 1809 and 17 more | 2026-02-13 | 5.5 Medium |
| Insertion of sensitive information into sent data in Windows Speech allows an authorized attacker to disclose information locally. | ||||
| CVE-2024-25709 | 3 Esri, Linux, Microsoft | 3 Portal For Arcgis, Linux Kernel, Windows | 2026-02-13 | 6.1 Medium |
| There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote, authenticated attacker to create a crafted link that can be saved as a new location when moving an existing item, which could potentially execute arbitrary JavaScript code in a victim’s browser. Exploitation does not require any privileges and can be performed by an anonymous user. | ||||
| CVE-2024-25705 | 3 Esri, Linux, Microsoft | 3 Portal For Arcgis, Linux Kernel, Windows | 2026-02-13 | 5.4 Medium |
| There is a cross‑site scripting (XSS) vulnerability in Esri Portal for ArcGIS Experience Builder versions 11.1 and below on Windows and Linux that allows a remote, authenticated attacker with low‑privileged access to create a crafted link which, when clicked, could potentially execute arbitrary JavaScript code in the victim’s browser. Exploitation requires basic authenticated access but does not require elevated or administrative privileges, indicating low privileges are required. | ||||
| CVE-2024-51954 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-02-13 | 8.5 High |
| There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server instance. Successful exploitation results in unauthorized access to protected services outside the attacker’s originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a high impact on confidentiality, a low impact on integrity, and no impact on the availability of the software. | ||||