Common Vulnerabilities and Exposures (CVE)
CVE-2025-7195
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/pass...
CVE-2026-1638
A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack c...
CVE-2025-69517
An HTML injection vulnerability in Amidaware Inc Tactical RMM v1.3.1 and earlier allows authenticated users to inject arbitrary HTML content during the creation of a new agent via the POST /api/v3/newagent/ endpoint. The agent_id parameter ...
CVE-2025-12758
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) ap...
CVE-2026-1665
A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget cod...
CVE-2026-20960
Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.
CVE-2026-20831
Time-of-check time-of-use (toctou) race condition in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-21509
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.
CVE-2026-21264
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-21521
Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network.
CVE-2026-21227
Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-24307
Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVE-2026-21524
Exposure of sensitive information to an unauthorized actor in Azure Data Explorer allows an unauthorized attacker to disclose information over a network.
CVE-2026-24306
Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network.