By vendor
Microsoft vulnerabilities
Known CVEs affecting Microsoft products, prioritized by severity, with SEC.co remediation and detection guidance.
621 published vulnerabilities · page 7 of 7
- CVE-2026-11665MEDIUM 4.3
A flaw in Google Chrome's graphics rendering engine (Dawn) on Windows could allow an attacker to trick a user into visiting a malicious webpage that leaks sensitive data from other websites the user is logged into. The vulnerability requires user interaction—the user must visit the crafted page—but does not require any special permissions or complex attack setup. The leaked data is limited in scope and does not include the ability to modify or destroy information.
- CVE-2026-11695MEDIUM 4.3
Google Chrome prior to version 149.0.7827.103 contains a flaw in its password handling logic that could allow an attacker to leak sensitive data across website boundaries. An attacker would need to craft a malicious HTML page and convince a user to visit it, but the vulnerability itself does not require the user to take additional actions beyond normal browsing. The leaked data is restricted to information accessible within the browser context of the affected user.
- CVE-2026-45650MEDIUM 4.3
CVE-2026-45650 is a user interface spoofing vulnerability in Microsoft Bing that allows attackers to misrepresent critical information to users over the network. An attacker can craft a malicious link or interaction that tricks Bing's UI into displaying false or misleading content, potentially leading users to believe they are viewing legitimate search results, advertisements, or information when they are not. This requires user interaction to succeed, meaning a victim must click a link or engage with the spoofed element.
- CVE-2026-9907MEDIUM 4.3
A memory read vulnerability in Google Chrome's Dawn graphics component allows attackers to access sensitive data from different website origins. An attacker can craft a malicious web page that, when visited by a user, tricks Chrome into reading memory beyond intended boundaries and leaking information from other websites the user may have open. This affects Windows systems running Chrome versions prior to 148.0.7778.216.
- CVE-2026-9935MEDIUM 4.3
CVE-2026-9935 is a memory safety issue in Google Chrome's ANGLE graphics library that allows attackers to steal sensitive data from other websites. When you visit a malicious webpage, an attacker can craft it to leak information that should be isolated to other sites you have open. The vulnerability requires user interaction—you must visit the attack page—but the bar for exploitation is otherwise low. Google has classified this as High severity internally, though the CVSS score reflects a more limited scope.
- CVE-2026-9986MEDIUM 4.2
CVE-2026-9986 is a UI spoofing vulnerability in Google Chrome's OptimizationGuide component that could let an attacker deceive users about what they're seeing on a webpage. The vulnerability requires the attacker to have already compromised Chrome's rendering process—the engine that draws web content. While this limits the immediate attack scope, it represents a meaningful escalation risk for adversaries who have achieved code execution in that sandboxed component. The flaw stems from inadequate validation of user-supplied input before it's used to generate on-screen elements.
- CVE-2026-10998MEDIUM 4.0
CVE-2026-10998 is a memory safety issue in Google Chrome's media handling code that allows an attacker positioned on the same local network to read data from memory locations they shouldn't have access to. The vulnerability exists in Chrome versions before 149.0.7827.53. An attacker would need to send specially crafted network traffic to trigger an out-of-bounds read, which could potentially expose sensitive information resident in the browser's memory. This is a local-network-only threat, meaning the attacker must be on your network segment to exploit it.
- CVE-2026-45642LOW 3.9
CVE-2026-45642 affects Microsoft's Azure Attestation and Device Health Attestation services, which are used to verify the integrity and trustworthiness of devices and systems. The vulnerability stems from inadequate validation of user-supplied input, allowing an attacker who already has physical access and elevated privileges on a target system to spoof attestation results. This means an attacker could make a compromised or malicious device appear legitimate to systems that rely on attestation checks. The attack requires both physical proximity to the device and administrative-level access, significantly limiting real-world exposure.
- CVE-2026-45455LOW 3.3
A flaw in Microsoft Office Excel can allow an attacker to read memory that shouldn't be accessible, potentially exposing sensitive information on a local system. The vulnerability requires user interaction—someone must open a specially crafted Excel file—but once triggered, it could leak data like file contents or system details. This is a low-severity issue with no direct impact on system availability or file integrity.
- CVE-2026-45459LOW 3.3
Microsoft Excel has a flaw that allows someone with local access to bypass a built-in security protection mechanism. An attacker would need to trick a user into opening a specially crafted Excel file on their machine. The vulnerability exposes some information (such as file contents or formulas) but cannot be used to modify data or crash the application. This is a low-risk issue with limited real-world impact.
- CVE-2026-45466LOW 3.3
A flaw in Microsoft Office Word allows an attacker to trigger a heap-based buffer overflow by crafting a malicious document. When a user opens the document, sensitive information stored in the application's memory could be read by the attacker. This is a local attack—the attacker cannot exploit it remotely—and it requires user interaction to open the malicious file. The confidentiality risk is limited; no system damage or data modification occurs.
- CVE-2026-45485LOW 3.3
Microsoft Office contains a flaw that allows an attacker to read data from memory locations outside the intended bounds, potentially exposing sensitive information stored locally on a user's machine. The vulnerability requires local system access and user interaction (such as opening a malicious document), but does not allow the attacker to modify or delete data or crash the application. This is classified as a low-risk issue because it requires presence on the affected system and a user action to trigger exposure.
- CVE-2026-11240LOW 3.1
CVE-2026-11240 is a low-severity input validation flaw in Google Chrome's Loader component that allows a remote attacker to bypass the browser's site isolation security feature, but only if they have already compromised the renderer process. Site isolation is Chrome's defense mechanism that runs each website in a separate process to prevent one compromised site from accessing data from another. An attacker would need to deliver a specially crafted HTML page to exploit this, making it a post-compromise risk rather than a direct remote code execution vector. The vulnerability affects Chrome versions prior to 149.0.7827.53.
- CVE-2026-11244LOW 3.1
CVE-2026-11244 is a low-severity flaw in Google Chrome's WebAuthentication feature that allows inadequate validation of user-supplied input. An attacker with prior access to Chrome's renderer process—the component responsible for displaying web pages—could craft a malicious HTML page to circumvent the browser's same-origin policy, a fundamental security boundary that prevents scripts from one website accessing data from another. This is not a direct remote code execution and requires both renderer process compromise and user interaction to succeed.
- CVE-2026-11251LOW 3.1
A flaw in Chrome's password manager allows a sophisticated attacker to read stored password information if they can first compromise Chrome's renderer process through a malicious web page. The vulnerability requires multiple conditions to exploit: the attacker must already control the rendering engine, the user must interact with the page, and the attack surface is limited to sensitive credential disclosure. Chrome versions before 149.0.7827.53 are affected. This is not a zero-click issue and does not allow code execution or system-level access.
- CVE-2026-11675LOW 3.1
Google Chrome contained a memory reading vulnerability in its Skia graphics library that could allow an attacker to steal sensitive data from other websites. The attacker would first need to compromise Chrome's renderer process—the sandboxed component that handles web page rendering—and then trick a user into visiting a specially crafted webpage. If successful, the flaw could leak cross-origin data, meaning information from a different website than the one the user thought they were visiting. This vulnerability affects Chrome versions prior to 149.0.7827.103 across Windows, macOS, and Linux systems.
- CVE-2026-11684LOW 3.1
A policy enforcement gap in Google Chrome's Network component allowed attackers who had already compromised Chrome's utility process to steal cross-origin data by serving a specially crafted HTML page. This is a post-compromise attack where the attacker has already gained some level of access to the browser process itself, then exploits this weakness to read data that should be isolated between different websites.
- CVE-2026-11691LOW 3.1
Google Chrome contained a flaw in its New Tab Page that could allow attackers who had already compromised Chrome's renderer process to steal data from websites across different origins. The vulnerability required an attacker to have already broken into the renderer—the sandboxed component that runs web content—and then trick a user into visiting a malicious HTML page. While the Chromium security team rated this High severity internally, the calculated CVSS score is Low (3.1) because the attack requires both prior renderer compromise and user interaction.
- CVE-2026-9944LOW 3.1
CVE-2026-9944 is a memory safety issue in the ANGLE graphics library used by Google Chrome. An attacker who has already compromised Chrome's renderer process can craft a malicious webpage to leak sensitive data from other websites or origins. The vulnerability requires the renderer to be compromised first, limiting the attack surface, but the data leakage potential is real once that initial foothold exists. Chrome versions before 148.0.7778.216 are vulnerable on Windows, macOS, and Linux.
- CVE-2026-9959LOW 3.1
A race condition in WebRTC functionality within Google Chrome on Windows allows an attacker to leak data across origin boundaries. The vulnerability requires user interaction (clicking on a crafted HTML page) and is difficult to exploit reliably due to timing constraints. While the underlying issue is rated High severity by Chromium, the CVSS 3.1 score of 3.1 reflects the practical barriers to exploitation and limited scope—an attacker can extract sensitive information, but cannot modify data or disrupt service.
- CVE-2026-9991LOW 3.1
A vulnerability in Google Chrome's media handling on Windows allows an attacker who has already compromised the browser's renderer process to extract sensitive data across security boundaries. The attacker would need to host a malicious webpage and trick a user into visiting it while the renderer is already under their control. The exposure is information disclosure—no system takeover or crashes—and the barrier to exploitation is relatively high because the attacker must first achieve renderer compromise.