Microsoft Sql Server 2025 — known CVE vulnerabilities
Every CVE whose affected-product data names Microsoft Sql Server 2025, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (8)
CVE-2026-33120 — CVSS 8.8 (high): Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network.
CVE-2026-21262 — CVSS 8.8 (high): Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.
CVE-2026-26115 — CVSS 8.8 (high): Improper validation of specified type of input in SQL Server allows an authorized attacker to elevate privileges over a network.
CVE-2026-26116 — CVSS 8.8 (high): Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate…
CVE-2026-40370 — CVSS 8.8 (high): External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
CVE-2026-20803 — CVSS 7.2 (high): Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network.
CVE-2026-32176 — CVSS 6.7 (medium): Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate…
CVE-2026-32167 — CVSS 6.7 (medium): Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate…