Threat Modeling and Security by Design

Two vulnerabilities in Microsoft Copilot have been disclosed: an injection vulnerability in Copilot Chat for Microsoft Edge (CVE-2026-47644, CVSS 6.5) and a command injection vulnerability in Microsoft Copilot (CVE-2026-45497, CVSS 7.7). Both allow an authorised attacker to execute code or disclose information over a network. What Are the Vulnerabilities? CVE-2026-47644 — Copilot Chat Injection (CVSS 6.5, CWE-74): An improper neutralisation of special elements in…

An information disclosure vulnerability in Microsoft Graph, tracked as CVE-2026-47655 (CVSS 6.5), allows an authorised attacker to disclose information over a network. Microsoft Graph is the unified API endpoint for accessing data across Microsoft 365 services — including Exchange Online, SharePoint, Teams, and OneDrive. What Is the Vulnerability? CVE-2026-47655 is an exposure of sensitive information vulnerability in Microsoft Graph (CWE-200). The vulnerability allows an…

Two vulnerabilities in Microsoft Defender have been disclosed: a heap-based buffer overflow (CVE-2026-45584, CVSS 8.1) enabling unauthorised remote code execution, and a denial-of-service vulnerability (CVE-2026-45498, CVSS 4.0). Both were covered extensively in the May 22, 2026 Vulnerability Intelligence Report and had a CISA KEV remediation deadline of June 3, 2026 — now passed. The fix is delivered through the Malware Protection Engine update to…

Microsoft has acknowledged a security feature bypass vulnerability in Windows BitLocker, publicly known as “YellowKey” and tracked as CVE-2026-45585. The vulnerability affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025. A proof-of-concept has been publicly released, and Microsoft has published mitigation guidance while working on a permanent security update. What Is the Vulnerability? CVE-2026-45585 (YellowKey) is a security feature bypass in Windows BitLocker…

Two deserialization vulnerabilities in Microsoft SharePoint Server, tracked as CVE-2026-47294 (CVSS 8.0) and CVE-2026-45659 (CVSS 8.8), allow authenticated attackers to execute arbitrary code over a network. Both affect SharePoint Server Subscription Edition, 2016, and 2019, and are fixed in build 16.0.19725.20280 for the Subscription Edition. What Are the Vulnerabilities? Both vulnerabilities involve deserialization of untrusted data — a well-known and frequently exploited vulnerability class…

An improper authentication vulnerability in Azure Resource Manager (ARM), tracked as CVE-2026-47280, allows an unauthorised attacker to elevate privileges over a network. The vulnerability carries a CVSS score of 10.0 — the maximum possible severity — and affects Azure’s core management and deployment platform. Microsoft has released a security update. What Is the Vulnerability? CVE-2026-47280 is an authentication bypass vulnerability in Azure Resource Manager…