Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Microsoft Corporation

BOS ID

-
BOSS-VENDOR-40789

Tags

-
N/A

Related Bos

-
N/A

Note

-

https://www.microsoft.com/en-us/ https://www.microsoft.com/en-us/legal/terms-of-use?oneroute=true

Mapped CVEsMapped VendorsRelated AssignersReports
25479Vulnerabilities found

CVE-2026-56171
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.1||HIGH
EPSS-0.55% / 42.50%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 21:34
Updated-17 Jul, 2026 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Exposure of private personal information to an unauthorized actor in Windows RDP allows an unauthorized attacker to disclose information over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-Windows Admin CenterRemote Desktop Web Client
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CVE-2026-57980
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 13.47%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 21:29
Updated-17 Jul, 2026 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Edge (Chromium-based) Tampering Vulnerability

Authentication bypass using an alternate path or channel in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform tampering over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-Microsoft Edge (Chromium-based)
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2026-62826
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.23% / 13.43%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 22:02
Updated-17 Jul, 2026 | 21:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft SharePoint Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-Microsoft SharePoint Server Subscription EditionMicrosoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-58598
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7||HIGH
EPSS-0.19% / 9.13%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 21:57
Updated-18 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Backup Service Elevation of Privilege Vulnerability

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Backup Engine allows an authorized attacker to elevate privileges locally.

Action-Not Available
Vendor-Microsoft Corporation
Product-Windows 10 Version 21H2Windows 11 Version 25H2Windows 10 Version 22H2Windows 11 version 26H1Windows 11 Version 24H2
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE ID-CWE-416
Use After Free
CVE-2026-58643
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.24% / 15.04%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 21:57
Updated-18 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Admin Center Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Windows Admin Center allows an unauthorized attacker to perform spoofing over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-Windows Admin Center
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-59117
Assigner-Microsoft Corporation
ShareView Details
Assigner-Microsoft Corporation
CVSS Score-7.5||HIGH
EPSS-0.45% / 36.48%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 21:56
Updated-17 Jul, 2026 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Terminal Remote Code Execution Vulnerability

Integer overflow or wraparound in Windows Terminal allows an unauthorized attacker to execute code over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-Windows Terminal App
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-55440
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.66% / 47.50%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 15:35
Updated-16 Jul, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft UFO: COMMAND_RESULTS handler creates unowned sessions, allowing authenticated session-squatting denial of service

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Prior to 3.0.7, the COMMAND_RESULTS handler in ufo/server/ws/handler.py called get_or_create_session in ufo/server/services/session_manager.py without owner_client_id, allowing an authenticated client to create an unowned attacker-chosen session_id such as constellation_task_id = f"{task_name}@{task_id}" and deny the legitimate owner or exhaust memory with phantom sessions. This issue is fixed in version 3.0.7.

Action-Not Available
Vendor-Microsoft Corporation
Product-UFO
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-862
Missing Authorization
CVE-2026-54568
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.54% / 41.60%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 15:32
Updated-16 Jul, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft UFO: Missing Authorization in DEVICE_INFO_REQUEST Allows a DEVICE Client to Read Another Device's system_info

Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to the UFO WebSocket server as a DEVICE could call DEVICE_INFO_REQUEST with another device's target_id and receive that device's server-side system_info through ufo/server/ws/handler.py, because handle_device_info_request and get_device_info did not enforce the constellation-only role or object-level authorization boundary. This issue is fixed in version 3.0.6.

Action-Not Available
Vendor-Microsoft Corporation
Product-UFO
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2026-57206
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-0.89% / 55.37%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 15:17
Updated-16 Jul, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SimpleChat plugin validation endpoints missing authentication and authorization

SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/single_app/plugin_validation_endpoint.py, including `POST /api/admin/plugins/test-instantiation`, `GET /api/admin/plugins/health-check/<plugin_name>`, `POST /api/admin/plugins/repair/<plugin_name>`, and `POST /api/plugins/validate`, relied on @swagger_route(security=get_auth_security()) documentation without enforcing @login_required, @user_required, or @admin_required at runtime, allowing unauthenticated or unauthorized clients to invoke plugin validation, health, and repair behavior. This issue is fixed in version 0.241.206.

Action-Not Available
Vendor-Microsoft Corporation
Product-simplechat
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-862
Missing Authorization
CVE-2026-57205
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.50% / 39.50%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 15:12
Updated-16 Jul, 2026 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SimpleChat: Authenticated users can access other users' profile metadata through user IDOR endpoints

SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.203, the authenticated GET /api/user/info/<user_id> and GET /api/user/profile-image/<user_id> endpoints in application/single_app/route_backend_users.py accepted a caller-supplied user_id and read the matching Cosmos DB user-settings document without object-level authorization, allowing a low-privilege authenticated user to retrieve another user's email address, display name, and profile image. This issue is fixed in version 0.241.203.

Action-Not Available
Vendor-Microsoft Corporation
Product-simplechat
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2026-53598
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.06% / 60.67%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:59
Updated-17 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prompty: Arbitrary File Read via ${file:path} Reference Expansion

Prompty is a markdown file format (.prompty) for LLM prompts. Prior to 2.0.0-beta.2, Prompty loaders expanded ${file:...} references in .prompty frontmatter without enforcing that resolved paths stayed within the prompt directory or allowed roots, allowing an attacker-controlled prompt file to read local files through absolute paths, .. traversal, or symlink escapes. This issue is fixed in versions 2.0.0-beta.2.

Action-Not Available
Vendor-Microsoft Corporation
Product-prompty
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-53597
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.93% / 56.64%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:54
Updated-18 Jul, 2026 | 03:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Prompty: Arbitrary code execution via JavaScript frontmatter in TypeScript loader

Prompty is a markdown file format (.prompty) for LLM prompts. From 2.0.0-alpha.1 until 2.0.0-beta.3, the @prompty/core TypeScript loader in runtime/typescript/packages/core/src/core/loader.ts used gray-matter without overriding executable js and javascript frontmatter engines, allowing an attacker-controlled .prompty file with ---js frontmatter to execute arbitrary JavaScript during prompt loading. This issue is fixed in version 2.0.0-beta.3.

Action-Not Available
Vendor-Microsoft Corporation
Product-prompty
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-54733
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.92% / 56.15%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:52
Updated-16 Jul, 2026 | 17:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
moodle-local_o365: Authentication bypass via unverified JWT signature in Teams SSO endpoint

The Microsoft 365 and Microsoft Entra ID Plugins for Moodle provide Office 365 and Azure Active Directory integration for Moodle. Prior to 4.5.6, 5.0.5, and 5.1.1, the Microsoft Office 365 Integration plugin local_o365 Teams SSO endpoint sso_login.php base64-decodes a JWT payload and authenticates users from the upn claim without verifying the JWT signature, allowing an unauthenticated attacker to forge a token and obtain a Moodle session as an O365-authenticated user. This issue is fixed in versions 4.5.6, 5.0.5, and 5.1.1.

Action-Not Available
Vendor-Microsoft Corporation
Product-o365-moodle
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2026-59867
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-1.92% / 77.63%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:48
Updated-16 Jul, 2026 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiota: Generation-time SSRF + remote/local file inclusion via unrestricted $ref

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs and reading local absolute or out-of-tree file paths, allowing `kiota generate` on an attacker-controlled or attacker-influenced description to perform build-time SSRF, remote file inclusion, and local file inclusion by inlining external schemas such as REMOTE_KIOTA_PROP or Leaked into generated clients. This issue is fixed in version 1.32.5 by AllowedExternalOriginsStreamLoader and the --allowed-external-origins option.

Action-Not Available
Vendor-Microsoft Corporation
Product-kiota
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-59866
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-1.35% / 68.47%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:46
Updated-17 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiota: Arbitrary file write + code-injection via x-ms-kiota-info clientClassName and clientNamespaceName

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota emitted x-ms-kiota-info clientClassName and clientNamespaceName values without identifier or path sanitization as both generated client class or namespace names and generated output path components when `kiota generate` ran without -c/--class-name, allowing an attacker-controlled or compromised OpenAPI description to write generated source outside the -o output directory and inject arbitrary text into generated class or namespace declarations. This issue is fixed in version 1.32.5 by GenerationConfiguration.SanitizeClientClassName and SanitizeClientNamespaceName.

Action-Not Available
Vendor-Microsoft Corporation
Product-kiota
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-59864
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-1.27% / 66.68%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:45
Updated-17 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiota: Path/URL injection into generated Copilot plugin manifest via x-ai-* extensions

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, `kiota plugin add` and `kiota plugin generate` (with `-t APIPlugin`) emitted attacker-controlled static_template.file values from x-ai-adaptive-card and x-ai-capabilities into generated Microsoft 365 Copilot and Teams plugin manifests without path validation, allowing ../, absolute, rooted, UNC, Windows drive, or URI paths in response_semantics.static_template.file to cause path traversal or out-of-package file inclusion when the generated plugin was deployed. This issue is fixed in version 1.32.5.

Action-Not Available
Vendor-Microsoft Corporation
Product-kiota
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-59865
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-3.19% / 86.66%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:43
Updated-17 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiota: Command injection via x-ms-kiota-info dependencyInstallCommand surfaced by `kiota info`

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, `kiota info` read x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand plus dependency name and version values from an OpenAPI description and presented the spec-supplied command as Kiota's recommended install command, allowing an attacker-controlled or compromised description to cause command injection when the suggested command was run manually or through the Kiota VS Code extension's kiota info --json dependency-install flow. This issue is fixed in version 1.32.5.

Action-Not Available
Vendor-Microsoft Corporation
Product-kiota
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-59863
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7||HIGH
EPSS-1.12% / 62.61%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:42
Updated-16 Jul, 2026 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiota: Workspace-config poisoning: out-of-repo file write + generation-time SSRF

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota honored a poisoned .kiota/workspace.json workspace configuration without validating per-client or per-plugin outputPath values during kiota client generate and kiota plugin generate, allowing a malicious repository or pull request to use absolute paths, rooted POSIX / paths, UNC \\ or // paths, Windows drive X:\ paths, or .. traversal segments to write generated client files outside the workspace root on a developer or CI host. This issue is fixed in version 1.32.5.

Action-Not Available
Vendor-Microsoft Corporation
Product-kiota
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-59859
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-1.02% / 59.43%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:40
Updated-17 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiota: Code Generation Literal Injection in the PHP Generator

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals through SanitizeDoubleQuote() in Writers/StringExtensions.cs without escaping $, allowing attacker-controlled ${...}, $var, or {$obj->prop} interpolation constructs to inject arbitrary PHP code into generated model and request-builder classes. This issue is fixed in version 1.32.4.

Action-Not Available
Vendor-Microsoft Corporation
Product-kiota
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-59862
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.02% / 59.52%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:38
Updated-17 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiota: Code Generation Literal Injection in the Python Generator

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Python generator let attacker-controlled enum value descriptions from x-ms-enum.values[].description flow through KiotaBuilder.SetEnumOptions into Documentation.DescriptionTemplate and PythonConventionService.RemoveInvalidDescriptionCharacters without newline sanitization, allowing generated inline comments to split and execute attacker-controlled Python code at module scope when generated modules were imported. This issue is fixed in version 1.32.0.

Action-Not Available
Vendor-Microsoft Corporation
Product-kiota
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-59861
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.47% / 70.87%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:36
Updated-17 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiota: Code Generation Literal Injection in Kiota Ruby Generator

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Ruby generator embedded OpenAPI default fields, property names, and other schema-derived strings through CodeMethodWriter.cs and SanitizeForQuotedLiteral() in Writers/StringExtensions.cs into Ruby double-quoted literals without escaping #, allowing attacker-controlled #{expr}, #$var, or #@var interpolation markers to inject arbitrary Ruby code into generated model classes. This issue is fixed in version 1.32.0.

Action-Not Available
Vendor-Microsoft Corporation
Product-kiota
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-59860
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-1.02% / 59.43%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 14:34
Updated-17 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kiota: XML Doc-Comment Newline Breakout Code Injection

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.3, Kiota is affected by a code-generation injection vulnerability in the C# XML documentation-comment sink (the description, externalDocs label, and externalDocs link fields emitted as /// … comments). When text from an OpenAPI description is written into single-line XML doc comments without stripping newline and Unicode line-terminator characters, an attacker can break out of the /// comment line and inject additional code into generated C# clients. This issue is fixed in version 1.32.3.

Action-Not Available
Vendor-Microsoft Corporation
Product-kiota
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-40952
Assigner-Absolute Software
ShareView Details
Assigner-Absolute Software
CVSS Score-8.5||HIGH
EPSS-0.09% / 0.73%
||
7 Day CHG~0.00%
Published-15 Jul, 2026 | 19:32
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Privilge misconfiguration in Secure Access installers

CVE-2026-40952 is a privilege misconfiguration in the Secure Access installer for the Windows client and server prior to version 14.55. Attackers with local access to the client or server can use it to elevate privileges to Administrator when Secure Access is installed in a non-default location.

Action-Not Available
Vendor-Absolute Software CorporationMicrosoft Corporation
Product-secure_accesswindowsSecure Access
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2026-48295
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.5||HIGH
EPSS-0.39% / 31.17%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:33
Updated-16 Jul, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Insufficiently Protected Credentials (CWE-522)

CAI Content Credentials is affected by an Insufficiently Protected Credentials vulnerability that could result in disclosure of sensitive information. An attacker could leverage this vulnerability to gain unauthorized read access. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2026-48290
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-8.2||HIGH
EPSS-0.18% / 7.43%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:33
Updated-16 Jul, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Server-Side Request Forgery (SSRF) (CWE-918)

CAI Content Credentials is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-48357
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-6.2||MEDIUM
EPSS-0.15% / 4.92%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:33
Updated-16 Jul, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)

CAI Content Credentials is affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-48296
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-6.2||MEDIUM
EPSS-0.15% / 4.96%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:32
Updated-16 Jul, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191)

CAI Content Credentials is affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-191
Integer Underflow (Wrap or Wraparound)
CVE-2026-48287
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.4||HIGH
EPSS-0.14% / 3.65%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:32
Updated-16 Jul, 2026 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Untrusted Search Path (CWE-426)

CAI Content Credentials is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-426
Untrusted Search Path
CVE-2026-48312
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-6.8||MEDIUM
EPSS-0.16% / 5.42%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:32
Updated-16 Jul, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-20
Improper Input Validation
CVE-2026-48351
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.5||HIGH
EPSS-0.41% / 32.99%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:32
Updated-16 Jul, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-20
Improper Input Validation
CVE-2026-48302
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-6.2||MEDIUM
EPSS-0.15% / 4.96%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:32
Updated-16 Jul, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-20
Improper Input Validation
CVE-2026-48354
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-6.2||MEDIUM
EPSS-0.15% / 4.92%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:32
Updated-16 Jul, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Integer Overflow or Wraparound (CWE-190)

CAI Content Credentials is affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-48298
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-6.2||MEDIUM
EPSS-0.15% / 4.92%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:32
Updated-16 Jul, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191)

CAI Content Credentials is affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-191
Integer Underflow (Wrap or Wraparound)
CVE-2026-48352
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.5||HIGH
EPSS-0.41% / 32.99%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:32
Updated-16 Jul, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-20
Improper Input Validation
CVE-2026-48353
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-5.5||MEDIUM
EPSS-0.15% / 5.04%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:32
Updated-16 Jul, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Action-Not Available
Vendor-Microsoft CorporationAdobe Inc.Apple Inc.Linux Kernel Organization, IncGoogle LLC
Product-macosiphone_oslinux_kernelc2pa-webc2patoolc2pawindowsandroidContent Credentials Command-Line ToolContent Credentials JS SDKContent Credentials Rust SDK
CWE ID-CWE-20
Improper Input Validation
CVE-2026-48336
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.61%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:16
Updated-16 Jul, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Illustrator | Out-of-bounds Write (CWE-787)

Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Action-Not Available
Vendor-Adobe Inc.Microsoft Corporation
Product-illustratorwindowsIllustrator Desktop 2025Illustrator Desktop 2026
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-48335
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.61%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:16
Updated-16 Jul, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Illustrator | Out-of-bounds Write (CWE-787)

Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Action-Not Available
Vendor-Adobe Inc.Microsoft Corporation
Product-illustratorwindowsIllustrator Desktop 2025Illustrator Desktop 2026
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-48337
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.61%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:16
Updated-16 Jul, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Illustrator | Out-of-bounds Write (CWE-787)

Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Action-Not Available
Vendor-Adobe Inc.Microsoft Corporation
Product-illustratorwindowsIllustrator Desktop 2025Illustrator Desktop 2026
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-48334
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-9.3||CRITICAL
EPSS-0.43% / 34.59%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:16
Updated-16 Jul, 2026 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Illustrator | Improper Input Validation (CWE-20)

Illustrator is affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

Action-Not Available
Vendor-Adobe Inc.Microsoft Corporation
Product-illustratorwindowsIllustrator Desktop 2025Illustrator Desktop 2026
CWE ID-CWE-20
Improper Input Validation
CVE-2026-48275
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-8.6||HIGH
EPSS-0.16% / 5.37%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:16
Updated-16 Jul, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Illustrator | Untrusted Search Path (CWE-426)

Illustrator is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

Action-Not Available
Vendor-Adobe Inc.Microsoft Corporation
Product-illustratorwindowsIllustrator Desktop 2025Illustrator Desktop 2026
CWE ID-CWE-426
Untrusted Search Path
CVE-2026-48340
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.8||HIGH
EPSS-0.17% / 6.66%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 20:35
Updated-16 Jul, 2026 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bridge | Untrusted Pointer Dereference (CWE-822)

Bridge is affected by an Untrusted Pointer Dereference vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Action-Not Available
Vendor-Adobe Inc.Apple Inc.Microsoft Corporation
Product-bridgewindowsmacosAdobe Bridge
CWE ID-CWE-822
Untrusted Pointer Dereference
CVE-2026-48343
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.8||HIGH
EPSS-0.15% / 4.47%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 20:35
Updated-16 Jul, 2026 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bridge | Out-of-bounds Write (CWE-787)

Bridge is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Action-Not Available
Vendor-Adobe Inc.Apple Inc.Microsoft Corporation
Product-bridgewindowsmacosAdobe Bridge
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-48339
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.8||HIGH
EPSS-0.19% / 8.51%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 20:35
Updated-16 Jul, 2026 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bridge | Heap-based Buffer Overflow (CWE-122)

Bridge is affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Action-Not Available
Vendor-Adobe Inc.Apple Inc.Microsoft Corporation
Product-bridgewindowsmacosAdobe Bridge
CWE ID-CWE-122
Heap-based Buffer Overflow
CVE-2026-48311
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.8||HIGH
EPSS-0.15% / 4.47%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 20:35
Updated-16 Jul, 2026 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bridge | Out-of-bounds Write (CWE-787)

Bridge is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Action-Not Available
Vendor-Adobe Inc.Apple Inc.Microsoft Corporation
Product-bridgewindowsmacosAdobe Bridge
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-48342
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.8||HIGH
EPSS-0.17% / 6.60%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 20:35
Updated-16 Jul, 2026 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bridge | Integer Overflow or Wraparound (CWE-190)

Bridge is affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Action-Not Available
Vendor-Adobe Inc.Apple Inc.Microsoft Corporation
Product-bridgewindowsmacosAdobe Bridge
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-48341
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.8||HIGH
EPSS-0.15% / 4.53%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 20:35
Updated-16 Jul, 2026 | 19:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bridge | Out-of-bounds Write (CWE-787)

Bridge is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Action-Not Available
Vendor-Adobe Inc.Apple Inc.Microsoft Corporation
Product-bridgewindowsmacosAdobe Bridge
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-48272
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.8||HIGH
EPSS-0.13% / 3.07%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 20:21
Updated-17 Jul, 2026 | 03:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Creative Cloud Desktop | Uncontrolled Search Path Element (CWE-427)

Creative Cloud Desktop is affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction. Scope is changed.

Action-Not Available
Vendor-Adobe Inc.Microsoft Corporation
Product-creative_cloud_desktop_applicationwindowsCreative Cloud Desktop
CWE ID-CWE-427
Uncontrolled Search Path Element
CVE-2026-48344
Assigner-Adobe Systems Incorporated
ShareView Details
Assigner-Adobe Systems Incorporated
CVSS Score-7.8||HIGH
EPSS-0.10% / 1.22%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 20:21
Updated-17 Jul, 2026 | 03:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GoCart | Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

Creative Cloud Desktop is affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction. Scope is changed.

Action-Not Available
Vendor-Adobe Inc.Microsoft Corporation
Product-creative_cloud_desktop_applicationwindowsCreative Cloud Desktop
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CVE-2026-15773
Assigner-Chrome
ShareView Details
Assigner-Chrome
CVSS Score-9.6||CRITICAL
EPSS-0.25% / 16.46%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 20:09
Updated-15 Jul, 2026 | 17:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Use after free in Core in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Action-Not Available
Vendor-Microsoft CorporationGoogle LLC
Product-chromewindowsChrome
CWE ID-CWE-416
Use After Free
CVE-2026-15771
Assigner-Chrome
ShareView Details
Assigner-Chrome
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 19.33%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 20:09
Updated-15 Jul, 2026 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient validation of untrusted input in Media in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Action-Not Available
Vendor-Microsoft CorporationGoogle LLC
Product-chromewindowsChrome
CWE ID-CWE-20
Improper Input Validation
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 509
  • 510
  • Next