Microsoft Security Response Center Blog Alerts

Release of invalid pointer or reference in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/202 5) for more information.

Information published.

Server-Side Request Forgery (SSRF) in Microsoft Power Apps allows an unauthorized attacker to disclose information over a network

An elevation of privilege vulnerability exists when Visual Studio improperly handles pipeline job tokens. An attacker who successfully exploited this vulnerability could extend their access to a project.

To exploit this vulnerability, an attacker would first have to have access to the project and swap the short-term token for a long-term one.

The update addresses the vulnerability by correcting how the Visual Studio updater handles these tokens.

Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network.

Server-Side Request Forgery (SSRF) in Azure allows an authorized attacker to perform spoofing over a network.

Improper access control in Azure allows an unauthorized attacker to disclose information over a network.

Improper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network.