Microsoft Security Response Center Blog Alerts

CVE-2017-15042 An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.

Published February 18, 2026

Information published.

CVE-2023-6856 The WebGL `DrawElementsInstanced` method was susceptible to a heap buffer overflow when used on systems with the Mesa VM driver. This issue could allow an attacker to perform remote code execution and sandbox escape. This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121.

Published February 18, 2026

Information published.

CVE-2025-24855 numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

Published February 18, 2026

Information published.

CVE-2026-20841 Windows Notepad App Remote Code Execution Vulnerability

Published February 13, 2026

Added FAQ information. This is an informational change only.

CVE-2026-21518 GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability

Published February 13, 2026

Improper neutralization of special elements used in a command (‘command injection’) in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network.

CVE-2026-21519 Desktop Window Manager Elevation of Privilege Vulnerability

Published February 13, 2026

Access of resource using incompatible type (‘type confusion’) in Desktop Window Manager allows an authorized attacker to elevate privileges locally.

CVE-2025-2884 Cert CC: CVE-2025-2884 Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation

Published February 13, 2026

Added Affected Software for Windows packages

CVE-2026-21249 Windows NTLM Spoofing Vulnerability

Published February 12, 2026

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing locally.

CVE-2026-21247 Windows Hyper-V Remote Code Execution Vulnerability

Published February 12, 2026

Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally.

CVE-2026-21251 Cluster Client Failover (CCF) Elevation of Privilege Vulnerability

Published February 12, 2026

Use after free in Windows Cluster Client Failover allows an authorized attacker to elevate privileges locally.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

AbuseIPDB Contributor Badge

© 2026, Network Services Group |  216.73.217.116
Contributor,  Detroit Internet Exchange