Security Vulnerabilities
Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
CVSS Score
6.2
EPSS Score
0.001
Published
2026-05-12
changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) without explicitly disabling external entity resolution, external DTD loading, or network-backed entity lookup. The helper then parses untrusted XML bytes directly with etree.fromstring(...).
CVSS Score
8.2
EPSS Score
0.0
Published
2026-05-12
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit this flaw to delete arbitrary directories anywhere on the server's filesystem, leading to data loss and potential service disruption. This vulnerability is fixed in 1.9.0.
CVSS Score
9.6
EPSS Score
0.0
Published
2026-05-12
External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
CVSS Score
7.4
EPSS Score
0.002
Published
2026-05-12
Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.
CVSS Score
8.8
EPSS Score
0.001
Published
2026-05-12
Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.
CVSS Score
6.3
EPSS Score
0.0
Published
2026-05-12
Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-05-12
Use after free in Data Deduplication allows an authorized attacker to elevate privileges locally.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-05-12
Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.
CVSS Score
9.8
EPSS Score
0.0
Published
2026-05-12
Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
CVSS Score
6.7
EPSS Score
0.003
Published
2026-05-12