CVE Daily
← All tags

Tag: Microsoft Windows

All CVEs associated with "Microsoft Windows". Page 8/121 • 14514 CVEs.

Subscribe CVEs: RSS for “Microsoft Windows”  ·  RSS (High+Critical only)

About “Microsoft Windows”

A curated feed of “Microsoft Windows”-related CVEs appears below. We currently track 14514 CVEs for this tag (all time). In the last 365 days, 1680 were published. Average CVSS is 7.3 (all time; 7.2 over 365d), and 66% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-416 - Use After Free, CWE-122 - Heap-based Buffer Overflow, CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition').

In our taxonomy this topic maps to a MODERATE impact class. Issues here typically affect operating system packages or kernels. Plan reboots or service restarts and coordinate rollouts across fleets. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-01-12
Critical

CVE-2025-69270

Information Exposure Through Query Strings in GET Request vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Session Hijacking.This issue affects DX NetOps Spectrum: 24.3.8 and ear…

CVSS: 9.8 CWE: CWE-598 - Use of HTTP Request With Sensitive Query String View on NVD
Critical

CVE-2025-69269

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows OS Command Injection.This issue affect…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-69268

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Reflected XSS.This issue affects DX N…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-69267

Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Path Traversal.This issue affects DX NetOps Spectrum…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2026-01-09
Critical

CVE-2026-22584

Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2026-01-08
Low

CVE-2026-0747

Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a pa…

CVSS: 3.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2026-21860

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing sp…

CVSS: 5.3 CWE: CWE-67 - Improper Handling of Windows Device Names View on NVD
Medium

CVE-2025-67825

An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34. In certain cases, it displays signer information from a non-verified PDF field rather than from the verified certificate subjec…

CVSS: 5.5 CWE: CWE-346 - Origin Validation Error View on NVD
High

CVE-2026-22035

Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in External…

CVSS: 7.7 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2026-01-07
Medium

CVE-2025-15479

Stored cross-site scripting (XSS, CWE-79) in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms ( on Windows a…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2026-20893

Origin validation error issue exists in Fujitsu Security Solution AuthConductor Client Basic V2 2.0.25.0 and earlier. If this vulnerability is exploited, an attacker who can log in to the Windows sys…

CVSS: 7.8 CWE: CWE-346 - Origin Validation Error View on NVD
Medium

CVE-2025-14625

Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard on Windows (Nios II Command Shell modules), Altera Quartus Prime Lite on Windows (Nios II Command Shell modules) allows…

CVSS: 6.7 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Medium

CVE-2025-14614

Insecure Temporary File vulnerability in Altera Quartus Prime Standard  Installer (SFX) on Windows, Altera Quartus Prime Lite  Installer (SFX) on Windows allows Explore for Predictable Temporar…

CVSS: 6.7 CWE: CWE-377 - Insecure Temporary File View on NVD
Low

CVE-2025-11235

Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, fr…

CVSS: 3.7 CWE: CWE-620 - Unverified Password Change View on NVD
Medium

CVE-2025-14612

Insecure Temporary File vulnerability in Altera Quartus Prime Pro  Installer (SFX) on Windows allows : Use of Predictable File Names.This issue affects Quartus Prime Pro: from 24.1 through 25.1.1.

CVSS: 6.7 CWE: CWE-377 - Insecure Temporary File View on NVD
Medium

CVE-2025-14605

Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Pro on Windows (System Console modules) allows Search Order Hijacking.This issue affects Quartus Prime Pro: from 17.0 through 25…

CVSS: 6.7 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Medium

CVE-2025-14599

Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard Installer (SFX) on Windows, Altera Quartus Prime Lite  Installer (SFX) on Windows allows Search Order Hijacking.T…

CVSS: 6.7 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Medium

CVE-2025-14596

Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Pro Installer (SFX) on Windows allows Search Order Hijacking.This issue affects Quartus Prime Pro: from 24.1 through 24.3.1.

CVSS: 6.7 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2026-01-05
High

CVE-2025-57836

An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DL…

CVSS: 7.8 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2025-12-31
Medium

CVE-2025-67711

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that conta…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-67710

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that conta…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-67709

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that conta…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-67708

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that conta…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-67707

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designat…

CVSS: 5.6 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2025-67706

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designat…

CVSS: 5.6 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2025-67705

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that conta…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-67704

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that conta…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-67703

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that conta…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2020-36904

Selea CarPlateServer 4.0.1.6 contains a remote program execution vulnerability that allows attackers to execute arbitrary Windows binaries by manipulating the NO_LIST_EXE_PATH configuration parameter…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2020-36903

Selea CarPlateServer 4.0.1.6 contains an unquoted service path vulnerability in the Windows service configuration that allows local users to potentially execute code with elevated privileges. Attacke…

CVSS: 8.4 CWE: CWE-428 - Unquoted Search Path or Element View on NVD
Low

CVE-2025-11964

On Windows only, if libpcap needs to convert a Windows error message to UTF-8 and the message includes characters that UTF-8 represents using 4 bytes, utf_16le_to_utf_8_truncated() can write data bey…

CVSS: 1.9 CWE: CWE-787 - Out-of-bounds Write View on NVD
2025-12-30
Critical

CVE-2022-50696

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain hardcoded credentials embedded in server binaries that cannot be modified through normal device operations. Attackers can leverage these s…

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
High

CVE-2025-69217

coturn is a free open source implementation of TURN and STUN Server. Versions 4.6.2r5 through 4.7.0-r4 have a bad random number generator for nonces and port randomization after refactoring. Addition…

CVSS: 7.7 CWE: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) View on NVD
2025-12-29
Medium

CVE-2025-15065

Exposure of Sensitive Information to an Unauthorized Actor, Missing Encryption of Sensitive Data, Files or Directories Accessible to External Parties vulnerability in Kings Information & Network Co.…

CVSS: 6.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-12-22
Medium

CVE-2025-8304

An authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being accessible in the Windows Registry keys for Check Poin…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-12-20
High

CVE-2025-34290

Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controll…

CVSS: 8.5 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
High

CVE-2025-14591

In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was ide…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2025-12-19
High

CVE-2025-66495

A use-after-free vulnerability exists in the annotation handling of Foxit PDF Reader before 2025.2.1, 14.0.1, and 13.2.1 on Windows and MacOS. When opening a PDF containing specially crafted JavaScri…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2025-66494

A use-after-free vulnerability exists in the PDF file parsing of Foxit PDF Reader before 2025.2.1, 14.0.1, and 13.2.1 on Windows. A PDF object managed by multiple parent objects could be freed while…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2025-66493

A use-after-free vulnerability exists in the AcroForm handling of Foxit PDF Reader and Foxit PDF Editor before 2025.2.1,14.0.1 and 13.2.1 on Windows . When opening a PDF containing specially craft…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
2025-12-18
Medium

CVE-2025-13911

The vulnerability affects Ignition SCADA applications where Python scripting is utilized for automation purposes. The vulnerability arises from the absence of proper security controls that restrict…

CVSS: 6.4 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
Medium

CVE-2023-53944

EasyPHP Webserver 14.1 contains a path traversal vulnerability that allows remote users with low privileges to access files outside the document root by bypassing SecurityManager restrictions. Attack…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-12-17
Medium

CVE-2023-53912

USB Flash Drives Control 4.1.0.0 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit…

CVSS: 6.2 CWE: CWE-428 - Unquoted Search Path or Element View on NVD
Critical

CVE-2025-68118

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function `freerdp_cer…

CVSS: 9.1 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2025-67792

An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can manipulate a DriveLock process to execute arbitrary commands on Windo…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2025-67790

An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. An unprivileged user could cause occasionally a Blue Screen Of Death (BSOD) on Windows computers b…

CVSS: 7.5 CWE: CWE-170 - Improper Null Termination View on NVD
High

CVE-2025-53000

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in whi…

CVSS: 7.8 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Critical

CVE-2025-67781

An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can manipulate privileged processes to gain more privileges on Windows co…

CVSS: 9.9 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2025-14095

A "Privilege boundary violation" vulnerability is identified affecting multiple Radiometer Products. Exploitation of this vulnerability gives a user with physical access to the analyzer, the possibil…

CVSS: 6.8 CWE: CWE-284 - Improper Access Control View on NVD
2025-12-16
High

CVE-2025-68154

systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows syste…

CVSS: 8.1 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2025-68146

filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user…

CVSS: 6.3 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
Medium

CVE-2025-46294

To enhance security, the FileMaker Server 22.0.4 installer now includes an option to disable IIS short filename enumeration by setting NtfsDisable8dot3NameCreation in the Windows registry. This preve…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2025-65319

When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file p…

CVSS: 9.1 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Critical

CVE-2025-65318

When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file pr…

CVSS: 9.1 CWE: CWE-693 - Protection Mechanism Failure View on NVD
2025-12-13
Medium

CVE-2025-14395

The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions (e.g., pop_submit, poptheme_submit) in all versi…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2025-14394

The Popover Windows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2. This is due to missing or incorrect nonce validation. This makes it possibl…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2025-12-12
Medium

CVE-2025-13670

The High Level Synthesis Compiler i++ command for Windows is vulnerable to a DLL planting vulnerability

CVSS: 6.7 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Medium

CVE-2025-13669

Uncontrolled Search Path Element vulnerability in Altera High Level Synthesis Compiler on Windows allows Search Order Hijacking.This issue affects High Level Synthesis Compiler: from 19.1 through 24.…

CVSS: 6.7 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
Medium

CVE-2025-13665

The System Console Utility for Windows is vulnerable to a DLL planting vulnerability

CVSS: 6.7 CWE: CWE-427 - Uncontrolled Search Path Element View on NVD
2025-12-11
Critical

CVE-2025-64721

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4…

CVSS: 10.0 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
High

CVE-2024-58288

Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute arbit…

CVSS: 8.7 CWE: CWE-428 - Unquoted Search Path or Element View on NVD
Medium

CVE-2025-13663

Under certain circumstances, the Quartus Prime Pro Installer for Windows does not check the permissions of the Quartus target installation directory if the target installation directory already exist…

CVSS: 6.7 CWE: CWE-279 - Incorrect Execution-Assigned Permissions View on NVD
High

CVE-2025-64669

Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-55314

An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. When pages in a PDF are deleted via JavaScript, the application may fail to properly update i…

CVSS: 7.8 CWE: CWE-476 - NULL Pointer Dereference View on NVD
High

CVE-2025-55313

An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. They allow potential arbitrary code execution when processing crafted PDF files. The vulnerab…

CVSS: 7.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2025-55312

An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. When pages in a PDF are deleted via JavaScript, the application may fail to properly update internal st…

CVSS: 7.8 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Medium

CVE-2025-55311

An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. A crafted PDF can use JavaScript to alter annotation content and subsequently clear the file'…

CVSS: 6.5 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
High

CVE-2025-55310

An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. An attacker able to alter or replace the static HTML files used by the StartPage feature can…

CVSS: 7.3 CWE: CWE-494 - Download of Code Without Integrity Check View on NVD
Medium

CVE-2025-55309

An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. A crafted PDF can contain JavaScript that attaches an OnBlur action on a form field that dest…

CVSS: 6.7 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2025-55308

An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. A crafted PDF containing JavaScript that calls closeDoc() while internal objects are still in use can c…

CVSS: 6.7 CWE: CWE-416 - Use After Free View on NVD
Low

CVE-2025-55307

An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. Opening a malicious PDF containing a crafted JavaScript call to search.query() with a crafted cDIPath p…

CVSS: 3.3 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2025-46266

A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to coerce the service into transmi…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-44016

A vulnerability in TeamViewer DEX Client (former 1E client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to bypass file integrity validatio…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2025-12687

A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to cause a denial of service (appl…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-64701

QND Premium/Advance/Standard Ver.11.0.9i and prior contains a privilege escalation vulnerability, which may allow a user who can log in to a Windows system with the affected product to gain administr…

CVSS: 7.8 CWE: CWE-268 - Privilege Chaining View on NVD
2025-12-10
High

CVE-2025-67460

Protection Mechanism Failure of Software Downgrade in Zoom Rooms for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via local access.

CVSS: 7.8 CWE: CWE-693 - Protection Mechanism Failure View on NVD
2025-12-09
Medium

CVE-2025-66625

Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice ca…

CVSS: 4.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2025-64680

Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2025-64679

Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2025-64678

Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.

CVSS: 8.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2025-64661

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2025-64658

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally.

CVSS: 7.5 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2025-62573

Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2025-62571

Improper input validation in Windows Installer allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-62570

Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally.

CVSS: 7.1 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2025-62567

Integer underflow (wrap or wraparound) in Windows Hyper-V allows an authorized attacker to deny service over a network.

CVSS: 5.3 CWE: CWE-191 - Integer Underflow (Wrap or Wraparound) View on NVD
High

CVE-2025-62565

Use after free in Windows Shell allows an authorized attacker to elevate privileges locally.

CVSS: 7.3 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2025-62549

Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network.

CVSS: 8.8 CWE: CWE-822 - Untrusted Pointer Dereference View on NVD
High

CVE-2025-62474

Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2025-62473

Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.

CVSS: 6.5 CWE: CWE-126 - Buffer Over-read View on NVD
High

CVE-2025-62472

Use of uninitialized resource in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2025-62470

Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
Medium

CVE-2025-62468

Out-of-bounds read in Windows Defender Firewall Service allows an authorized attacker to disclose information locally.

CVSS: 5.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2025-62467

Integer overflow or wraparound in Windows Projected File System allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-126 - Buffer Over-read View on NVD
High

CVE-2025-62466

Null pointer dereference in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Medium

CVE-2025-62465

Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally.

CVSS: 6.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
High

CVE-2025-62464

Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-126 - Buffer Over-read View on NVD
Medium

CVE-2025-62463

Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally.

CVSS: 6.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
High

CVE-2025-62462

Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-126 - Buffer Over-read View on NVD
High

CVE-2025-62461

Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-126 - Buffer Over-read View on NVD
High

CVE-2025-62458

Heap-based buffer overflow in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2025-62457

Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2025-62456

Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code over a network.

CVSS: 8.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2025-62455

Improper input validation in Windows Message Queuing allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2025-62454

Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
High

CVE-2025-62221

Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2025-59517

Improper access control in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2025-59516

Missing authentication for critical function in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-73 - External Control of File Name or Path View on NVD
High

CVE-2025-55233

Out-of-bounds read in Windows Projected File System allows an authorized attacker to elevate privileges locally.

CVSS: 7.8 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2025-54100

Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.

CVSS: 7.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2025-66271

Clone for Windows provided by ELECOM CO.,LTD. registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary…

CVSS: 6.7 CWE: CWE-428 - Unquoted Search Path or Element View on NVD
2025-12-08
Medium

CVE-2025-66461

FULLBACK Manager Pro provided by GS Yuasa International Ltd. registers two Windows services with unquoted file paths. A user may execute arbitrary code with SYSTEM privilege if he/she has the write…

CVSS: 6.7 CWE: CWE-428 - Unquoted Search Path or Element View on NVD
2025-12-06
Unknown

CVE-2025-40271

In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which m…

CVSS: N/A CWE: N/A View on NVD
2025-12-05
High

CVE-2025-59775

Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM hashes to a malicious server…

CVSS: 7.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2025-12-04
Medium

CVE-2025-1910

The WatchGuard Mobile VPN with SSL Client on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM on the Windows machine where…

CVSS: 6.3 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2025-12-03
High

CVE-2025-12385

Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 3…

CVSS: 8.7 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
High

CVE-2025-20387

In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in…

CVSS: 8.0 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2025-20386

In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Splu…

CVSS: 8.0 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2025-13751

Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a…

CVSS: 5.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
High

CVE-2025-53841

The GC-AGENTS-SERVICE running as part of Akamai´s Guardicore Platform Agent for Windows versions prior to v49.20.1, v50.15.0, v51.12.0, v52.2.0 is affected by a local privilege escalation vulnerabili…

CVSS: 7.8 CWE: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere View on NVD