CVE Notify
19.1K subscribers
4 photos
183K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
๐Ÿšจ CVE-2026-45459
Protection mechanism failure in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45460
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45461
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45466
Heap-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45469
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45471
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45472
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45474
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45475
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45482
Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45485
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45486
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45643
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45645
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45649
Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-47636
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-11527
Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle.

Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it through ReadConfig. An in-memory scalar reference (-file => \$text) does not open a path and is unaffected.

Any caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-32208
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-42895
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-45480
Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-47203
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth (i.e via the `Authorization` header with the `Basic` scheme) on the authz verification endpoint, Authelia takes the username directly from the `Authorization` header and passes it as is to the regulation system for ban checking and attempt recording. LDAP treats usernames case insensitively : `john`, `John`, and `JOHN` all bind as the same user. But the regulation SQL queries treat the lookup of these values in certain scenarios as case sensitive. This allows each variation of a usernames case to have its own ban bucket. Upgrade to 4.39.20 to receive a patch. As a workaround, explicitly disable the basic auth mechanism.

๐ŸŽ–@cveNotify