threat
engine
.sh
Back
·
··:··
Home
/
Product
/
microsoft outlook
Product
microsoft outlook
121 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-42893
< 5.2617.1
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacke
7.4
HIGH
CVE-2026-26133
< 5.2605.0
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
7.1
HIGH
CVE-2026-21260
all versions
Exposure of sensitive information to an unauthorized actor in Microsoft Office Outlook allows an unauthorized attacker to perform
7.5
HIGH
CVE-2025-49699
all versions
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
7.0
HIGH
CVE-2025-47171
all versions
Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally.
6.7
MEDIUM
CVE-2025-29805
< 4.2509.0
Exposure of sensitive information to an unauthorized actor in Outlook for Android allows an unauthorized attacker to disclose info
7.5
HIGH
CVE-2025-21259
< 4.2501.1
Microsoft Outlook Spoofing Vulnerability
5.3
MEDIUM
CVE-2025-21361
< 16.93
Microsoft Outlook Remote Code Execution Vulnerability
7.8
HIGH
CVE-2025-21357
all versions
Microsoft Outlook Remote Code Execution Vulnerability
6.7
MEDIUM
CVE-2024-42220
all versions
A library injection vulnerability exists in Microsoft Outlook 16.83.3 for macOS. A specially crafted library can leverage Outlook'
7.1
HIGH
CVE-2024-43604
all versions
Outlook for Android Elevation of Privilege Vulnerability
5.7
MEDIUM
CVE-2024-43482
< 4.2435.0
Microsoft Outlook for iOS Information Disclosure Vulnerability
6.5
MEDIUM
CVE-2024-38173
all versions
Microsoft Outlook Remote Code Execution Vulnerability
6.7
MEDIUM
CVE-2024-38020
all versions
Microsoft Outlook Spoofing Vulnerability
6.5
MEDIUM
CVE-2024-30103
all versions
Microsoft Outlook Remote Code Execution Vulnerability
8.8
HIGH
CVE-2024-20670
< 1.2023.0322.0100
Outlook for Windows Spoofing Vulnerability
8.1
HIGH
CVE-2024-26204
< 4.2404.0
Outlook for Android Information Disclosure Vulnerability
7.5
HIGH
CVE-2024-21378
all versions
Microsoft Outlook Remote Code Execution Vulnerability
8.8
HIGH
CVE-2023-36763
all versions
Microsoft Outlook Information Disclosure Vulnerability
7.5
HIGH
CVE-2023-36893
all versions
Microsoft Outlook Spoofing Vulnerability
6.5
MEDIUM
CVE-2023-35311
all versions
Microsoft Outlook Security Feature Bypass Vulnerability
8.8
HIGH
CVE-2023-33131
all versions
Microsoft Outlook Remote Code Execution Vulnerability
8.8
HIGH
CVE-2022-35742
all versions
Microsoft Outlook Denial of Service Vulnerability
7.5
HIGH
CVE-2023-23397
all versions
Microsoft Outlook Elevation of Privilege Vulnerability
9.8
CRITICAL
CVE-2022-24480
all versions
Outlook for Android Elevation of Privilege Vulnerability
6.3
MEDIUM
CVE-2021-31949
all versions
Microsoft Outlook Remote Code Execution Vulnerability
7.3
HIGH
CVE-2021-31941
all versions
Microsoft Office Graphics Remote Code Execution Vulnerability
7.8
HIGH
CVE-2021-28452
all versions
Microsoft Outlook Memory Corruption Vulnerability
7.1
HIGH
CVE-2020-17119
all versions
Microsoft Outlook Information Disclosure Vulnerability
6.5
MEDIUM
CVE-2020-16949
all versions
<p>A denial of service vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in me
4.7
MEDIUM
CVE-2020-16947
all versions
<p>A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects i
7.5
HIGH
CVE-2020-1493
all versions
An information disclosure vulnerability exists when attaching files to Outlook messages. This vulnerability could potentially allo
5.5
MEDIUM
CVE-2020-1483
all versions
A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An
5.0
MEDIUM
CVE-2020-1349
all versions
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka
7.8
HIGH
CVE-2020-0760
all versions
A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries, aka 'Microsoft Offic
8.8
HIGH
CVE-2020-0696
all versions
A security feature bypass vulnerability exists in Microsoft Outlook software when it improperly handles the parsing of URI formats
6.5
MEDIUM
CVE-2019-1460
all versions
A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages, aka
4.6
MEDIUM
CVE-2019-1218
all versions
A spoofing vulnerability exists in the way Microsoft Outlook iOS software parses specifically crafted email messages. An authentic
5.4
MEDIUM
CVE-2019-1204
all versions
An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient
4.3
MEDIUM
CVE-2019-1200
all versions
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An
7.8
HIGH
CVE-2019-1105
all versions
A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages. An a
5.4
MEDIUM
CVE-2019-1084
all versions
An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable c
6.5
MEDIUM
CVE-2019-0560
all versions
An information disclosure vulnerability exists when Microsoft Office improperly discloses the contents of its memory, aka "Microso
5.5
MEDIUM
CVE-2019-0559
all versions
An information disclosure vulnerability exists when Microsoft Outlook improperly handles certain types of messages, aka "Microsoft
6.5
MEDIUM
CVE-2018-8582
all versions
A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially modified rule export files, aka "M
8.8
HIGH
CVE-2018-8576
all versions
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka
7.8
HIGH
CVE-2018-8524
all versions
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka
7.8
HIGH
CVE-2018-8522
all versions
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka
7.8
HIGH
CVE-2018-8244
all versions
An elevation of privilege vulnerability exists when Microsoft Outlook does not validate attachment headers properly, aka "Microsof
6.5
MEDIUM
CVE-2017-17689
all versions
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exf
5.9
MEDIUM
CVE-2017-17688
all versions
The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exf
5.9
MEDIUM
CVE-2018-0852
all versions
Microsoft Outlook 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outlook 2013 SP1 and RT SP1, Microsoft Outlook 2016, and Microso
8.8
HIGH
CVE-2018-0851
all versions
Microsoft Office 2007 SP2, Microsoft Office Word Viewer, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1 and RT SP1, Microsof
8.8
HIGH
CVE-2018-0850
all versions
Microsoft Outlook 2007, Microsoft Outlook 2010, Microsoft Outlook 2013, Microsoft Outlook 2016, and Microsoft Office 2016 Click-to
6.5
MEDIUM
CVE-2018-0791
all versions
Microsoft Outlook 2007, Microsoft Outlook 2010, Microsoft Outlook 2013, and Microsoft Outlook 2016 allow a remote code execution v
7.8
HIGH
CVE-2017-11776
all versions
Microsoft Outlook 2016 allows an attacker to obtain the email content of a user, due to how Outlook 2016 discloses user email cont
7.5
HIGH
CVE-2017-11774
all versions
Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to
7.8
HIGH
CVE-2017-8663
all versions
Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, and Outlook 2016 as packaged in Microsoft Off
7.8
HIGH
CVE-2017-8572
all versions
Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, and Outlook 2016 as packaged in Microsoft Off
5.5
MEDIUM
CVE-2017-8571
all versions
Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, and Outlook 2016 as packaged in Microsoft Off
7.8
HIGH
CVE-2017-8545
all versions
A spoofing vulnerability exists in when Microsoft Outlook for Mac does not sanitize html properly, aka "Microsoft Outlook for Mac
6.5
MEDIUM
CVE-2017-8508
all versions
A security feature bypass vulnerability exists in Microsoft Office software when it improperly handles the parsing of file formats
5.5
MEDIUM
CVE-2017-8507
all versions
A remote code execution vulnerability exists in the way Microsoft Office software parses specially crafted email messages, aka "Mi
7.8
HIGH
CVE-2017-8506
all versions
A remote code execution vulnerability exists in Microsoft Office when the software fails to properly handle objects in memory, aka
7.8
HIGH
CVE-2017-0207
all versions
Microsoft Outlook for Mac 2011 allows remote attackers to spoof web content via a crafted email with specific HTML tags, aka "Micr
6.5
MEDIUM
CVE-2017-0204
all versions
Microsoft Outlook 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outlook 2013 SP1, and Microsoft Outlook 2016 allow remote attack
5.5
MEDIUM
CVE-2017-0106
all versions
Microsoft Excel 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outlook 2013 SP1, and Microsoft Outlook 2016 allow remote attacker
7.8
HIGH
CVE-2016-3366
all versions
Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, Outlook 2016, and Outlook 2016 for Mac do not
6.5
MEDIUM
CVE-2016-3278
all versions
Microsoft Outlook 2010 SP2, 2013 SP1, 2013 RT SP1, and 2016 allows remote attackers to execute arbitrary code via a crafted Office
7.8
HIGH
CVE-2015-1641
all versions
Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word for Mac 2011, Office Compatibility
7.8
HIGH
CVE-2014-5239
<= 7.8.2.12.49.6434
The Microsoft Outlook.com application before 7.8.2.12.49.7090 for Android does not verify X.509 certificates from SSL servers, whi
CVE-2013-3905
all versions
Microsoft Outlook 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT does not properly expand metadata contained in S/MIME certificates
CVE-2013-3870
all versions
Double free vulnerability in Microsoft Outlook 2007 SP3 and 2010 SP1 and SP2 allows remote attackers to execute arbitrary code by
CVE-2010-2728
all versions
Heap-based buffer overflow in Microsoft Outlook 2002 SP3, 2003 SP3, and 2007 SP2, when Online Mode for an Exchange Server is enabl
CVE-2010-0266
all versions
Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_MET
CVE-2008-3068
all versions
Microsoft Crypto API 5.131.2600.2180 through 6.0, as used in Outlook, Windows Live Mail, and Office 2007, performs Certificate Rev
CVE-2007-4040
all versions
Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote
8.8
HIGH
CVE-2007-0671
all versions
Unspecified vulnerability in Microsoft Excel 2000, XP, 2003, and 2004 for Mac, and possibly other Office products, allows remote u
8.8
HIGH
CVE-2007-0034
all versions
Buffer overflow in the Advanced Search (Finder.exe) feature of Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote
CVE-2007-0033
all versions
Microsoft Outlook 2002 and 2003 allows user-assisted remote attackers to execute arbitrary code via a malformed VEVENT record in a
CVE-2006-1305
all versions
Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to cause a denial of service (memory exhaustion and i
CVE-2006-6659
all versions
The Microsoft Office Outlook Recipient ActiveX control (ole32.dll) in Windows XP SP2 allows remote attackers to cause a denial of
CVE-2006-3877
all versions
Unspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X fo
CVE-2006-4868
all versions
Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer
CVE-2006-2055
all versions
Argument injection vulnerability in Microsoft Outlook 2003 SP1 allows user-assisted remote attackers to modify command line argume
CVE-2006-0002
all versions
Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Offi
CVE-2005-1052
all versions
Microsoft Outlook 2003 and Outlook Web Access (OWA) 2003 do not properly display comma separated addresses in the From field in an
CVE-2004-2482
all versions
Microsoft Outlook 2000 and 2003, when configured to use Microsoft Word 2000 or 2003 as the e-mail editor and when forwarding e-mai
CVE-2004-0284
all versions
Microsoft Internet Explorer 6.0, Outlook 2002, and Outlook 2003 allow remote attackers to cause a denial of service (CPU consumpti
CVE-2004-0200
all versions
Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, all
CVE-2004-0503
all versions
Microsoft Outlook 2003 allows remote attackers to bypass the default zone restrictions and execute script within media files via a
CVE-2004-0502
all versions
Outlook 2003, when replying to an e-mail message, stores certain files in a predictable location for the "src" of an img tag of th
CVE-2004-0501
all versions
Outlook 2003 allows remote attackers to bypass intended access restrictions and cause Outlook to request a URL from a remote site
CVE-2004-0526
all versions
Unknown versions of Internet Explorer and Outlook allow remote attackers to spoof a legitimate URL in the status bar via A HREF ta
CVE-2004-0204
all versions
Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10
CVE-2003-1048
all versions
Double free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of
7.8
HIGH
CVE-2004-0121
all versions
Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them
CVE-2003-1378
all versions
Microsoft Outlook Express 6.0 and Outlook 2000, with the security zone set to Internet Zone, allows remote attackers to execute ar
CVE-2003-0007
all versions
Microsoft Outlook 2002 does not properly handle requests to encrypt email messages with V1 Exchange Server Security certificates,
CVE-2002-2101
all versions
Microsoft Outlook 2002 allows remote attackers to execute arbitrary JavaScript code, even when scripting is disabled, via an "abou
CVE-2002-2100
all versions
Microsoft Outlook 2002 allows remote attackers to embed bypass the file download restrictions for attachments via an HTML email me
CVE-2002-1255
all versions
Microsoft Outlook 2002 allows remote attackers to cause a denial of service (repeated failure) via an email message with a certain
CVE-2002-0481
all versions
An interaction between Windows Media Player (WMP) and Outlook 2002 allows remote attackers to bypass Outlook security settings and
CVE-2002-1056
all versions
Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used w
CVE-2001-0538
<= 2002
Microsoft Outlook View ActiveX Control in Microsoft Outlook 2002 and earlier allows remote attackers to execute arbitrary commands
CVE-2001-1088
all versions
Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address
CVE-2001-0322
all versions
MSHTML.DLL HTML parser in Internet Explorer 4.0, and other versions, allows remote attackers to cause a denial of service (applica
CVE-2001-0145
all versions
Buffer overflow in VCard handler in Outlook 2000 and 98, and Outlook Express 5.x, allows an attacker to execute arbitrary commands
CVE-2000-0756
all versions
Microsoft Outlook 2000 does not properly process long or malformed fields in vCard (.vcf) files, which allows attackers to cause a
CVE-2000-0753
all versions
The Microsoft Outlook mail client identifies the physical path of the sender's machine within a winmail.dat attachment to Rich Tex
CVE-2000-0621
all versions
Microsoft Outlook 98 and 2000, and Outlook Express 4.0x and 5.0x, allow remote attackers to read files on the client's system via
CVE-2000-0567
all versions
Buffer overflow in Microsoft Outlook and Outlook Express allows remote attackers to execute arbitrary commands via a long Date fie
CVE-2000-0524
all versions
Microsoft Outlook and Outlook Express allow remote attackers to cause a denial of service by sending email messages with blank fie
CVE-2000-0415
all versions
Buffer overflow in Outlook Express 4.x allows attackers to cause a denial of service via a mail or news message that has a .jpg or
CVE-2000-0419
all versions
The Office 2000 UA ActiveX Control is marked as "safe for scripting," which allows remote attackers to conduct unauthorized activi
CVE-2000-0216
all versions
Microsoft email clients in Outlook, Exchange, and Windows Messaging automatically respond to Read Receipt and Delivery Receipt tag
CVE-2000-0160
all versions
The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software compone
CVE-2000-0329
all versions
A Microsoft ActiveX control allows a remote attacker to execute a malicious cabinet file via an attachment and an embedded script
CVE-1999-1164
all versions
Microsoft Outlook client allows remote attackers to cause a denial of service by sending multiple email messages with the same X-U
CVE-1999-0384
all versions
The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard w
CVE-1999-0519
all versions
A NETBIOS/SMB share password is the default, null, or missing.
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin