Security Vulnerabilities
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
CVSS Score
7.8
EPSS Score
0.001
Published
2026-05-12
Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.
CVSS Score
7.7
EPSS Score
0.0
Published
2026-05-12
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
CVSS Score
9.1
EPSS Score
0.001
Published
2026-05-12
OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response. This vulnerability is fixed in 0.2.0-alpha.1.
CVSS Score
5.9
EPSS Score
0.0
Published
2026-05-12
Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.
CVSS Score
5.5
EPSS Score
0.0
Published
2026-05-12
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
CVSS Score
8.8
EPSS Score
0.001
Published
2026-05-12
Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
CVSS Score
6.2
EPSS Score
0.001
Published
2026-05-12
changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).
CVSS Score
8.2
EPSS Score
0.0
Published
2026-05-12
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit this flaw to delete arbitrary directories anywhere on the server's filesystem, leading to data loss and potential service disruption. This vulnerability is fixed in 1.9.0.
CVSS Score
9.6
EPSS Score
0.0
Published
2026-05-12
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
CVSS Score
7.4
EPSS Score
0.002
Published
2026-05-12