Microsoft

vulnerability 2026-05-15
Exchange Server CVE-2026-42897: Unpatched OWA XSS Zero-Day Exploited via Crafted Email
Microsoft confirms in-the-wild exploitation of an unpatched XSS spoofing flaw in on-prem Exchange Server 2016, 2019, and Subscription Edition. Mitigation is automatic only if EEMS is enabled.
microsoft exchange zero-day xss spoofing owa cve-2026-42897 actively-exploited
vulnerability 2026-05-14
Outlook CVE-2026-40361: Zero-Click Word RCE Resurrects BadWinmail's Enterprise-Killer Class
A use-after-free in a shared Office DLL lets a malicious message fire RCE through the Outlook Reading Pane and Explorer Preview Pane. Microsoft rates exploitation 'more likely.'
microsoft outlook word cve-2026-40361 zero-click use-after-free preview-pane patch-tuesday
vulnerabilities 2026-04-14
Microsoft April 2026 Patch Tuesday Fixes 167 Flaws Including Actively Exploited SharePoint Zero-Day
Microsoft's second-largest Patch Tuesday ever addresses 167 vulnerabilities, including an actively exploited SharePoint XSS flaw and a critical CVSS 9.8 Windows IKE remote code execution bug.
microsoft patch-tuesday zero-day sharepoint windows CVE-2026-32201 CVE-2026-33825 CVE-2026-33824
Vulnerabilities 2026-04-06
CVE-2026-32211: Azure MCP Server Ships with No Auth — Your DevOps Secrets Are One Request Away
Critical CVSS 9.1 flaw in Azure MCP Server has zero authentication on critical functions, exposing API keys, tokens, repos, and pipeline configs to unauthenticated attackers. No patch available.
azure mcp devops authentication microsoft cicd

Microsoft

Exchange Server CVE-2026-42897: Unpatched OWA XSS Zero-Day Exploited via Crafted Email

Outlook CVE-2026-40361: Zero-Click Word RCE Resurrects BadWinmail's Enterprise-Killer Class

Microsoft April 2026 Patch Tuesday Fixes 167 Flaws Including Actively Exploited SharePoint Zero-Day

CVE-2026-32211: Azure MCP Server Ships with No Auth — Your DevOps Secrets Are One Request Away