Outlook vulnerabilities: known CVEs & security history
Microsoft · Actively exploited · 121 tracked CVEs · 5 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Outlook release lines — 121 in total, with 5 actively exploited in the wild. A CVE here doesn't mean your version is affected — check Outlook's current status and the safe version to run.
Known Outlook CVEs
Actively-exploited and most-severe first. Showing the top 80 of 121. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2023-23397⚡ exploited | critical | 9.8 | 97% | 2023 |
| CVE-2023-35311⚡ exploited | high | 8.8 | 15% | 2023 |
| CVE-2007-0671⚡ exploited | high | 8.8 | 42% | 2007 |
| CVE-2017-11774⚡ exploited | high | 7.8 | 60% | 2017 |
| CVE-2015-1641⚡ exploited | high | 7.8 | 97% | 2015 |
| CVE-2001-0538 | high | 10 | 53% | 2001 |
| CVE-2013-3870 | high | 9.3 | 19% | 2013 |
| CVE-2010-2728 | high | 9.3 | 17% | 2010 |
| CVE-2010-0266 | high | 9.3 | 54% | 2010 |
| CVE-2007-0033 | high | 9.3 | 32% | 2007 |
| CVE-2007-0034 | high | 9.3 | 37% | 2007 |
| CVE-2006-3877 | high | 9.3 | 12% | 2006 |
| CVE-2006-4868 | high | 9.3 | 59% | 2006 |
| CVE-2004-0200 | high | 9.3 | 49% | 2004 |
| CVE-2024-30103 | high | 8.8 | 3% | 2024 |
| CVE-2024-21378 | high | 8.8 | 11% | 2024 |
| CVE-2023-33131 | high | 8.8 | 6% | 2023 |
| CVE-2020-0760 | high | 8.8 | 9% | 2020 |
| CVE-2018-8582 | high | 8.8 | 19% | 2018 |
| CVE-2018-0852 | high | 8.8 | 20% | 2018 |
| CVE-2018-0851 | high | 8.8 | 19% | 2018 |
| CVE-2007-4040 | high | 8.8 | 13% | 2007 |
| CVE-2003-1378 | high | 8.8 | 16% | 2003 |
| CVE-2024-20670 | high | 8.1 | 2% | 2024 |
| CVE-2025-21361 | high | 7.8 | 1% | 2025 |
| CVE-2021-31941 | high | 7.8 | 3% | 2021 |
| CVE-2020-1349 | high | 7.8 | 23% | 2020 |
| CVE-2019-1200 | high | 7.8 | 5% | 2019 |
| CVE-2018-8576 | high | 7.8 | 19% | 2018 |
| CVE-2018-8524 | high | 7.8 | 19% | 2018 |
| CVE-2018-8522 | high | 7.8 | 19% | 2018 |
| CVE-2018-0791 | high | 7.8 | 21% | 2018 |
| CVE-2017-8663 | high | 7.8 | 19% | 2017 |
| CVE-2017-8571 | high | 7.8 | 6% | 2017 |
| CVE-2017-8507 | high | 7.8 | 20% | 2017 |
| CVE-2017-8506 | high | 7.8 | 24% | 2017 |
| CVE-2017-0106 | high | 7.8 | 28% | 2017 |
| CVE-2016-3278 | high | 7.8 | 20% | 2016 |
| CVE-2003-1048 | high | 7.8 | 27% | 2004 |
| CVE-2000-0160 | high | 7.6 | 9% | 2000 |
| CVE-2026-21260 | high | 7.5 | 1% | 2026 |
| CVE-2025-29805 | high | 7.5 | 1% | 2025 |
| CVE-2024-26204 | high | 7.5 | 2% | 2024 |
| CVE-2023-36763 | high | 7.5 | 2% | 2023 |
| CVE-2022-35742 | high | 7.5 | 22% | 2023 |
| CVE-2020-16947 | high | 7.5 | 34% | 2020 |
| CVE-2017-11776 | high | 7.5 | 9% | 2017 |
| CVE-2008-3068 | high | 7.5 | 17% | 2008 |
| CVE-2006-0002 | high | 7.5 | 46% | 2006 |
| CVE-2004-0204 | high | 7.5 | 73% | 2004 |
| CVE-2004-0121 | high | 7.5 | 48% | 2004 |
| CVE-2002-2101 | high | 7.5 | 11% | 2002 |
| CVE-2002-1056 | high | 7.5 | 19% | 2002 |
| CVE-2001-1088 | high | 7.5 | 20% | 2001 |
| CVE-2001-0145 | high | 7.5 | 7% | 2001 |
| CVE-2000-0621 | high | 7.5 | 22% | 2000 |
| CVE-2000-0419 | high | 7.5 | 21% | 2000 |
| CVE-1999-0519 | high | 7.5 | 6% | 1997 |
| CVE-2026-42893 | high | 7.4 | 0% | 2026 |
| CVE-2021-31949 | high | 7.3 | 3% | 2021 |
| CVE-2026-26133 | high | 7.1 | 0% | 2026 |
| CVE-2024-42220 | high | 7.1 | 1% | 2024 |
| CVE-2021-28452 | high | 7.1 | 1% | 2021 |
| CVE-2025-49699 | high | 7 | 0% | 2025 |
| CVE-2025-47171 | medium | 6.7 | 1% | 2025 |
| CVE-2025-21357 | medium | 6.7 | 1% | 2025 |
| CVE-2024-38173 | medium | 6.7 | 1% | 2024 |
| CVE-2024-43482 | medium | 6.5 | 1% | 2024 |
| CVE-2024-38020 | medium | 6.5 | 2% | 2024 |
| CVE-2023-36893 | medium | 6.5 | 2% | 2023 |
| CVE-2020-17119 | medium | 6.5 | 4% | 2020 |
| CVE-2020-0696 | medium | 6.5 | 5% | 2020 |
| CVE-2019-1084 | medium | 6.5 | 5% | 2019 |
| CVE-2019-0559 | medium | 6.5 | 7% | 2019 |
| CVE-2018-8244 | medium | 6.5 | 5% | 2018 |
| CVE-2018-0850 | medium | 6.5 | 5% | 2018 |
| CVE-2017-8545 | medium | 6.5 | 5% | 2017 |
| CVE-2017-0207 | medium | 6.5 | 10% | 2017 |
| CVE-2016-3366 | medium | 6.5 | 16% | 2016 |
| CVE-2022-24480 | medium | 6.3 | 1% | 2022 |
41 older / lower-severity CVEs not shown — see Outlook's full record.
Is my Outlook version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Outlook version → · Monitor Outlook for new CVEs →
Outlook vulnerabilities — frequently asked
How many known vulnerabilities does Outlook have?
IsItPatched tracks 121 CVEs for Outlook, 5 of which are actively exploited (CISA KEV). 1 is critical-severity and 63 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Outlook have any actively-exploited vulnerabilities?
Yes — 5 Outlook CVEs are in CISA's Known Exploited Vulnerabilities catalog, meaning they are confirmed exploited in the wild. Patch these as a priority.
What is the most severe Outlook vulnerability?
Among tracked issues, CVE-2023-23397 (CRITICAL, CVSS 9.8), which is actively exploited, ranks highest — a Improper input validation weakness.
Is Outlook safe to use?
It depends on the version. The latest supported Outlook release clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Outlook security status · Outlook end-of-life · actively-exploited CVEs. Always verify against Microsoft's advisories — see our disclaimer.