| CVE-2023-31358 | A DLL hijacking vulnerability in the AMD Manageability API could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. | high |
| CVE-2025-47280 | Umbraco Forms is a form builder that integrates with the Umbraco content management system. Starting in the 7.x branch and prior to versions 13.4.2 and 15.1.2, the 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workflow configured vulnerable, as it allows sending the message from a trusted system and address, potentially bypassing spam and email client security systems. This issue affects all (supported) versions Umbraco Forms and is patched in 13.4.2 and 15.1.2. Unpatched or unsupported versions can workaround this issue by using the `Send email with template (Razor)` workflow instead or writing a custom workflow type. To avoid accidentally using the vulnerable workflow again, the `SendEmail` workflow type can be removed using a composer available in the GitHub Security Advisory for this vulnerability. | medium |
| CVE-2025-4658 | Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication. | critical |
| CVE-2025-3757 | Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. | critical |
| CVE-2025-32709 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-32707 | Out-of-bounds read in Windows NTFS allows an unauthorized attacker to elevate privileges locally. | high |
| CVE-2025-32706 | Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-32705 | Out-of-bounds read in Microsoft Office Outlook allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-32704 | Buffer over-read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-32703 | Insufficient granularity of access control in Visual Studio allows an authorized attacker to disclose information locally. | medium |
| CVE-2025-32702 | Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-32701 | Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-30400 | Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-30397 | Access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-30394 | Sensitive data storage in improperly locked memory in Remote Desktop Gateway Service allows an unauthorized attacker to deny service over a network. | medium |
| CVE-2025-30393 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30388 | Heap-based buffer overflow in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30387 | Improper limitation of a pathname to a restricted directory ('path traversal') in Azure allows an unauthorized attacker to elevate privileges over a network. | critical |
| CVE-2025-30386 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30385 | Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-30384 | Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30383 | Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30382 | Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30381 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30379 | Release of invalid pointer or reference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30378 | Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30377 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30376 | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30375 | Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-30320 | InDesign Desktop versions ID19.5.2, ID20.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | medium |
| CVE-2025-30319 | InDesign Desktop versions ID19.5.2, ID20.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing a disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | medium |
| CVE-2025-30318 | InDesign Desktop versions ID19.5.2, ID20.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | high |
| CVE-2025-30310 | Dreamweaver Desktop versions 21.4 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | high |
| CVE-2025-29979 | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-29978 | Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-29977 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | high |
| CVE-2025-29976 | Improper privilege management in Microsoft Office SharePoint allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-29975 | Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-29974 | Integer underflow (wrap or wraparound) in Windows Kernel allows an unauthorized attacker to disclose information over an adjacent network. | medium |
| CVE-2025-29973 | Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-29971 | Out-of-bounds read in Web Threat Defense (WTD.sys) allows an unauthorized attacker to deny service over a network. | high |
| CVE-2025-29970 | Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-29969 | Time-of-check time-of-use (toctou) race condition in Windows Fundamentals allows an authorized attacker to execute code over a network. | high |
| CVE-2025-29968 | Improper input validation in Active Directory Certificate Services (AD CS) allows an authorized attacker to deny service over a network. | medium |
| CVE-2025-29967 | Heap-based buffer overflow in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-29966 | Heap-based buffer overflow in Windows Remote Desktop allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-29964 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-29963 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-29962 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network. | high |
| CVE-2025-29961 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | medium |
