Windows Server vulnerabilities: known CVEs & security history
Microsoft · Microsoft · 302 tracked CVEs · 0 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Windows Server release lines — 302 in total. A CVE here doesn't mean your version is affected — check Windows Server's current status and the safe version to run.
Known Windows Server CVEs
Actively-exploited and most-severe first. Showing the top 80 of 302. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2022-29130 | critical | 9.8 | 3% | 2022 |
| CVE-2022-26937 | critical | 9.8 | 77% | 2022 |
| CVE-2022-22012 | critical | 9.8 | 4% | 2022 |
| CVE-2022-21907 | critical | 9.8 | 93% | 2022 |
| CVE-2022-21849 | critical | 9.8 | 6% | 2022 |
| CVE-2021-43215 | critical | 9.8 | 3% | 2021 |
| CVE-2018-8421 | critical | 9.8 | 29% | 2018 |
| CVE-2022-21901 | critical | 9 | 1% | 2022 |
| CVE-2009-0568 | high | 10 | 32% | 2009 |
| CVE-2007-1916 | high | 10 | 7% | 2007 |
| CVE-2007-1917 | high | 10 | 7% | 2007 |
| CVE-2009-1133 | high | 9.3 | 30% | 2009 |
| CVE-2009-0230 | high | 9 | 35% | 2009 |
| CVE-2022-29141 | high | 8.8 | 3% | 2022 |
| CVE-2022-29139 | high | 8.8 | 2% | 2022 |
| CVE-2022-29137 | high | 8.8 | 2% | 2022 |
| CVE-2022-29131 | high | 8.8 | 3% | 2022 |
| CVE-2022-29129 | high | 8.8 | 3% | 2022 |
| CVE-2022-29128 | high | 8.8 | 3% | 2022 |
| CVE-2022-26927 | high | 8.8 | 4% | 2022 |
| CVE-2022-22019 | high | 8.8 | 2% | 2022 |
| CVE-2022-22014 | high | 8.8 | 2% | 2022 |
| CVE-2022-22013 | high | 8.8 | 2% | 2022 |
| CVE-2022-24508 | high | 8.8 | 3% | 2022 |
| CVE-2022-23294 | high | 8.8 | 2% | 2022 |
| CVE-2022-23285 | high | 8.8 | 26% | 2022 |
| CVE-2022-21990 | high | 8.8 | 19% | 2022 |
| CVE-2022-21984 | high | 8.8 | 5% | 2022 |
| CVE-2022-21922 | high | 8.8 | 3% | 2022 |
| CVE-2022-21920 | high | 8.8 | 3% | 2022 |
| CVE-2022-21857 | high | 8.8 | 2% | 2022 |
| CVE-2022-21851 | high | 8.8 | 3% | 2022 |
| CVE-2022-21850 | high | 8.8 | 3% | 2022 |
| CVE-2021-42283 | high | 8.8 | 0% | 2021 |
| CVE-2021-36970 | high | 8.8 | 3% | 2021 |
| CVE-2018-8420 | high | 8.8 | 49% | 2018 |
| CVE-2018-8332 | high | 8.8 | 19% | 2018 |
| CVE-2018-8350 | high | 8.8 | 19% | 2018 |
| CVE-2018-8260 | high | 8.8 | 15% | 2018 |
| CVE-2022-26932 | high | 8.2 | 1% | 2022 |
| CVE-2022-23270 | high | 8.1 | 73% | 2022 |
| CVE-2022-21972 | high | 8.1 | 81% | 2022 |
| CVE-2021-43217 | high | 8.1 | 6% | 2021 |
| CVE-2018-8284 | high | 8.1 | 43% | 2018 |
| CVE-2022-21893 | high | 8 | 7% | 2022 |
| CVE-2021-40464 | high | 8 | 1% | 2021 |
| CVE-2021-40461 | high | 8 | 1% | 2021 |
| CVE-2022-21995 | high | 7.9 | 1% | 2022 |
| CVE-2022-29132 | high | 7.8 | 1% | 2022 |
| CVE-2022-29115 | high | 7.8 | 2% | 2022 |
| CVE-2022-29113 | high | 7.8 | 0% | 2022 |
| CVE-2022-29105 | high | 7.8 | 3% | 2022 |
| CVE-2022-29104 | high | 7.8 | 12% | 2022 |
| CVE-2022-29103 | high | 7.8 | 1% | 2022 |
| CVE-2022-26926 | high | 7.8 | 3% | 2022 |
| CVE-2022-24537 | high | 7.8 | 0% | 2022 |
| CVE-2022-24507 | high | 7.8 | 4% | 2022 |
| CVE-2022-24459 | high | 7.8 | 1% | 2022 |
| CVE-2022-24454 | high | 7.8 | 1% | 2022 |
| CVE-2022-23299 | high | 7.8 | 8% | 2022 |
| CVE-2022-23296 | high | 7.8 | 1% | 2022 |
| CVE-2022-23293 | high | 7.8 | 1% | 2022 |
| CVE-2022-23291 | high | 7.8 | 1% | 2022 |
| CVE-2022-23290 | high | 7.8 | 1% | 2022 |
| CVE-2022-22715 | high | 7.8 | 13% | 2022 |
| CVE-2022-22001 | high | 7.8 | 1% | 2022 |
| CVE-2022-22000 | high | 7.8 | 4% | 2022 |
| CVE-2022-21994 | high | 7.8 | 4% | 2022 |
| CVE-2022-21992 | high | 7.8 | 2% | 2022 |
| CVE-2022-21989 | high | 7.8 | 3% | 2022 |
| CVE-2022-21981 | high | 7.8 | 1% | 2022 |
| CVE-2022-21974 | high | 7.8 | 5% | 2022 |
| CVE-2022-21916 | high | 7.8 | 1% | 2022 |
| CVE-2022-21914 | high | 7.8 | 1% | 2022 |
| CVE-2022-21912 | high | 7.8 | 1% | 2022 |
| CVE-2022-21910 | high | 7.8 | 1% | 2022 |
| CVE-2022-21908 | high | 7.8 | 1% | 2022 |
| CVE-2022-21902 | high | 7.8 | 1% | 2022 |
| CVE-2022-21898 | high | 7.8 | 2% | 2022 |
| CVE-2022-21897 | high | 7.8 | 1% | 2022 |
222 older / lower-severity CVEs not shown — see Windows Server's full record.
Is my Windows Server version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Windows Server version → · Monitor Windows Server for new CVEs →
Windows Server vulnerabilities — frequently asked
How many known vulnerabilities does Windows Server have?
IsItPatched tracks 302 CVEs for Windows Server. 8 are critical-severity and 190 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Windows Server have any actively-exploited vulnerabilities?
None of Windows Server's tracked CVEs are currently in CISA's KEV catalog — but new ones can be added at any time, so keep your version current.
What is the most severe Windows Server vulnerability?
Among tracked issues, CVE-2022-29130 (CRITICAL, CVSS 9.8) ranks highest.
Is Windows Server safe to use?
It depends on the version. The latest supported Windows Server release (10.0.26100) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Windows Server security status · Windows Server end-of-life · actively-exploited CVEs. Always verify against Microsoft's advisories — see our disclaimer.