Security Vulnerabilities
Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally.
CVSS Score
7.8
EPSS Score
0.003
Published
2026-06-09
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Stack Edge allows an authorized attacker to perform spoofing over a network.
CVSS Score
8.4
EPSS Score
0.007
Published
2026-06-09
Heap-based buffer overflow in Microsoft Windows DNS allows an authorized attacker to elevate privileges locally.
CVSS Score
7.0
EPSS Score
0.002
Published
2026-06-09
Issue summary: Remote peer may exhaust heap memory of the QUIC
server or client by flooding it with packets containing PATH_CHALLENGE
frames.
Impact summary: A malicious remote peer can cause an unbounded
memory allocation which can lead to an abnormal termination of the
application acting as a QUIC client or server and a Denial of Service.
A remote peer may exhaust heap memory by flooding the local
QUIC stack with PATH_CHALLENGE frames. The local QUIC stack
allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.
The allocated PATH_RESPONSE frame gets freed only when the remote
peer acknowledges reception of the PATH_RESPONSE frame which will
not be done by a malicious peer.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by
this issue. The QUIC stack is outside of OpenSSL FIPS module
boundary.
CVSS Score
7.5
EPSS Score
0.005
Published
2026-06-09
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVSS Score
7.0
EPSS Score
0.002
Published
2026-06-09
Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.
CVSS Score
5.4
EPSS Score
0.002
Published
2026-06-09
Issue summary: A malicious server can exploit TLS OCSP stapling by delivering
a crafted response through the status_request extension, triggering a
double-free in the client's certificate verification path.
Impact summary: Successful exploitation allows an attacker to corrupt heap
memory via a double-free, potentially leading to a Denial of Service or
possibly an attacker controlled code execution or other undefined behavior.
If OCSP stapling is enabled and the TLS client connects to a malicious server,
a crafted OCSP stapled response can trigger a double free in the TLS client
when the stapled response is checked.
The OCSP stapling is not enabled by default. Reliable code execution
through a double-free is technically complex and highly environment-dependent
but the Denial of Service impact is straightforward to achieve, warranting
Moderate severity.
No FIPS modules are affected by this issue as the affected code is outside
the OpenSSL FIPS module boundary.
CVSS Score
5.0
EPSS Score
0.002
Published
2026-06-09
Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network.
CVSS Score
8.8
EPSS Score
0.005
Published
2026-06-09
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVSS Score
5.4
EPSS Score
0.004
Published
2026-06-09
Trust boundary violation in Windows Attestation allows an authorized attacker to elevate privileges locally.
CVSS Score
7.8
EPSS Score
0.003
Published
2026-06-09