Microsoft — Security Activity Report
Windows + Azure + Office (MSRC advisories)
Generated Jul 13, 2026Cohort: 9 vendors with ≥10 CVE advisoriesMethodology ↗
CVE Disclosure Volume
Total all-time: 21,903 CVEs with Microsoft advisories. Source: NVD CVE records joined with vendor advisory publish dates.
Severity Composition
↑ +12.3 pp55.5% of Microsoft's 21,903 CVEs are CRITICAL or HIGH severity. Industry median: 43.2%. Source: NVD CVSS v3.1.
CISA KEV Listings
at industry median126 of 12,474 Microsoft CVEs in the last 3 years are on CISA's Known Exploited Vulnerabilities catalog (1.0%). Industry median: 1.0%.
Source: CISA Known Exploited Vulnerabilities catalog (current snapshot). KEV listing means CISA observed active in-the-wild exploitation.
Vendor Patch Velocity
↓ -6.2 daysMedian time from CVE disclosure to Microsoft advisory: 9 days (p25 2 days – p75 52 days). Industry median: 15 days.
Sample size: 8,708 CVE→advisory pairs over the last 3 years. Source: vendor advisory published_at minus CVE published.
Top Recurring Weakness Classes
Most-frequently mapped CWEs across Microsoft's last 3 years of CVE disclosures. Source: NVD — CWE mapping per MITRE taxonomy.
Recent Security Advisories
Latest advisories published by Microsoft, straight from the vendor's own feed. Severity labels are the vendor's — scales differ across vendors.
- CVE-2026-59997MediumCVSS 4.2Jul 11, 2026
internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.
- CVE-2026-59996MediumCVSS 4.2Jul 11, 2026
scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.
- CVE-2026-59995MediumCVSS 4.2Jul 11, 2026
sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when "sftp server:/path ." is used with an attacker-controlled server.
- CVE-2026-60001MediumCVSS 6.5Jul 11, 2026
sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.
- CVE-2026-60000LowCVSS 3.7Jul 11, 2026
sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.
- CVE-2026-59999MediumCVSS 5.9Jul 11, 2026
In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
- CVE-2026-60002HighCVSS 7.7Jul 11, 2026
ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)
- CVE-2026-56002HighCVSS 8.5Jul 11, 2026
libXfont2 PCF Font Parsing Heap Buffer Overflow
Full advisory archive: /pulse/vendor-advisories →
Data sources & corrections
- NVD National Vulnerability Database (nvd.nist.gov) — CVE records + CVSS v3.1 severity
- MITRE cvelistV5 (github.com/CVEProject/cvelistV5) — CNA-published CVE timestamps
- CISA Known Exploited Vulnerabilities catalog (cisa.gov/known-exploited-vulnerabilities-catalog)
- Vendor security advisories (RHSA, USN, MSRC, GHSA, etc.) — published_at timestamps
- MITRE CWE taxonomy (cwe.mitre.org) — weakness class mappings
Snapshot generated Jul 13, 2026. Industry medians refresh every 6 hours; raw vendor counts are queried live on each request.
Spot a factual error in this report?
Email [email protected] with the specific number you're disputing and a link to the authoritative source. We review every report and publish corrections on the methodology page.