Windows
This hub aggregates every CVE we track for Windows, a product in the operating systems space. Use it to gauge the current risk picture and drill into individual advisories.
1,377
CVEs tracked
118
Critical
842
High
59
In CISA KEV
Severity distribution
HIGH842MEDIUM374CRITICAL118LOW43
Monthly trend
1
1
0
0
2
0
0
0
0
0
0
3
0
0
0
3
0
0
0
0
0
0
0
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Windows.
- CVE-2025-11567CWE-276: Incorrect Default Permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured.7.8
- CVE-2025-11566CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitra...7.3
- CVE-2025-11565CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause elevated system access when a Web Admin user on the local network tamper...7.0
- CVE-2025-46385CWE-918 Server-Side Request Forgery (SSRF)8.6
- CVE-2025-46384CWE-434 Unrestricted Upload of File with Dangerous Type8.8
- CVE-2025-46383CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')6.1
- CVE-2022-40733An access violation vulnerability exists in the DirectComposition functionality win32kbase.sys driver version 10.0.22000.593 as part of Windows 11 version 22000.593 and version 10.0.20348.643 as pa...5.0
- CVE-2022-40732An access violation vulnerability exists in the DirectComposition functionality win32kbase.sys driver version 10.0.22000.593 as part of Windows 11 version 22000.593 and version 10.0.20348.643 as pa...5.0
- CVE-2024-36138Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious com...8.1
- CVE-2024-22169Misconfiguration in node.js causing a code execution in WD Discovery9.3
- CVE-2024-36991Path Traversal on the “/modules/messaging/“ endpoint in Splunk Enterprise on Windows7.5
- CVE-2024-4577Argument Injection in PHP-CGIKEV9.8
- CVE-2024-3661DHCP routing options can manipulate interface-based VPN traffic7.6
- CVE-2024-22423yt-dlp `--exec` command injection when using `%q` in yt-dlp on Windows8.3
- CVE-2024-2169Implementations of UDP application protocols are susceptible to network loops and denial of service7.5
Product normalization is registry-driven with AI assist and human review. How it works