Microsoft
Microsoft's June Patch Tuesday Is Its Biggest Ever: 200 Flaws, 33 Critical, Three Public Zero-Days
Microsoft's largest Patch Tuesday on record fixes 200 vulnerabilities including HTTP.sys and Kerberos KDC RCEs, three Hyper-V escapes, and the HTTP/2 Bomb and YellowKey BitLocker zero-days.
SharePoint CVE-2026-45659: Site Member Permissions Are Enough to Pop the Farm
Microsoft patched CVE-2026-45659, an 8.8-severity SharePoint deserialization RCE that only requires Site Member permissions — the lowest tier any authenticated user can have.
Exchange Server CVE-2026-42897: Unpatched OWA XSS Zero-Day Exploited via Crafted Email
Microsoft confirms in-the-wild exploitation of an unpatched XSS spoofing flaw in on-prem Exchange Server 2016, 2019, and Subscription Edition. Mitigation is automatic only if EEMS is enabled.
Outlook CVE-2026-40361: Zero-Click Word RCE Resurrects BadWinmail's Enterprise-Killer Class
A use-after-free in a shared Office DLL lets a malicious message fire RCE through the Outlook Reading Pane and Explorer Preview Pane. Microsoft rates exploitation 'more likely.'
Microsoft April 2026 Patch Tuesday Fixes 167 Flaws Including Actively Exploited SharePoint Zero-Day
Microsoft's second-largest Patch Tuesday ever addresses 167 vulnerabilities, including an actively exploited SharePoint XSS flaw and a critical CVSS 9.8 Windows IKE remote code execution bug.
CVE-2026-32211: Azure MCP Server Ships with No Auth — Your DevOps Secrets Are One Request Away
Critical CVSS 9.1 flaw in Azure MCP Server has zero authentication on critical functions, exposing API keys, tokens, repos, and pipeline configs to unauthenticated attackers. No patch available.