CVE-2026-35414 OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.
Information published.
Category
Vulnerabilities
CVE-2025-1149 GNU Binutils ld xmalloc.c xstrdup memory leak
Information published.
CVE-2026-48579 Microsoft Exchange Online Information Disclosure Vulnerability
Improper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network.
CVE-2026-47655 Microsoft Graph Information Disclosure Vulnerability
Exposure of sensitive information to an unauthorized actor in Microsoft Graph allows an authorized attacker to disclose information over a network.
CVE-2026-47644 Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability
Improper neutralization of special elements in output used by a downstream component ('injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.
CVE-2026-45497 Microsoft M365 Copilot Remote Code Execution Vulnerability
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network.
CVE-2026-42824 M365 Copilot Information Disclosure Vulnerability
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVE-2026-48567 Azure HorizonDB Elevation of Privilege Vulnerability
Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-25680 Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html
Information published.
CVE-2026-46598 Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent
Information published.
CVE-2026-39835 Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
Information published.
CVE-2026-39827 Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh
Information published.
CVE-2026-25681 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
Information published.
CVE-2026-42502 Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
Information published.
CVE-2026-35433 .NET Elevation of Privilege Vulnerability
This CVE was updated to fix the download link for .NET Framework 3.8 & 4.81 for Windows 2025
CVE-2026-32177 .NET Elevation of Privilege Vulnerability
This CVE was updated to fix the download link for .NET Framework 3.8 & 4.81 for Windows 2025
CVE-2026-33841 Windows Kernel Elevation of Privilege Vulnerability
Updated an acknowledgement. This is an informational change only.
CVE-2026-7774 tarfile.data_filter path traversal bypass allows writing outside the extraction directory
Information published.
CVE-2026-3276 Potential DoS via quadratic complexity in unicodedata.normalize()
Information published.
CVE-2026-8829 HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities
Information published.
CVE-2026-5419 Guntls: gnutls: information disclosure via timing side-channel in pkcs#7 padding removal
Information published.
CVE-2026-37460 Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
Information published.
CVE-2026-11332 Ansible-core: argument injection in ansible-galaxy role install leads to arbitrary code execution
Information published.
CVE-2026-27145 Inefficient candidate hostname parsing in crypto/x509
Information published.
CVE-2026-42507 Arbitrary inputs are included in errors without any escaping in net/textproto
Information published.
CVE-2026-8643 pip can extract console_scripts and gui_scripts outside installation directory
Information published.
CVE-2026-43958 Rrdtool: rrdtool: stack buffer overflow allows local code execution or denial of service
Information published.
CVE-2026-10722 cilium ebpf LoadCollectionSpec/LoadCollectionSpecFromReader btf.go loadRawSpec integer overflow
Information published.
CVE-2026-50219 libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
Information published.
CVE-2026-42504 Quadratic complexity in WordDecoder.DecodeHeader in mime
Information published.