| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. |
| Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required. |
| A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed into an inline JavaScript `onclick` handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm. |
| Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally. |
| Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally. |
| Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network. |
| Improper access control in Microsoft Management Console allows an authorized attacker to elevate privileges locally. |
| Out-of-bounds read in Windows GDI allows an unauthorized attacker to disclose information locally. |
| Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. |
| Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally. |
| Use after free in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally. |
| Improper handling of insufficient permissions or privileges in Windows Installer allows an authorized attacker to elevate privileges locally. |
| Use after free in Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) allows an authorized attacker to elevate privileges locally. |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally. |
| Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally. |
| Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally. |
| Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network. |
| Improper neutralization of special elements used in a command ('command injection') in Windows Snipping Tool allows an unauthorized attacker to execute code locally. |
| Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. |
