MICROSOFT on Tuesday released patches to address a record 169 security flaws across its product portfolio, including one actively exploited in the wild. Of these, 157 are rated Important, eight Critical, three Moderate and one Low, with the flaws comprising mainly privilege escalations, information disclosures, and remote code execution. The updates include four non-Microsoft CVEs affecting AMD, Node[.]js, Windows Secure Boot and Git for Windows, and follow additional fixes in Edge since March.
The most consequential flaw is CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server with CVSS 6.5, which is being exploited in the wild and has prompted CISA to add it to the KEV catalog, requiring remediation by 28 April 2026; Microsoft notes that exploitation could let an attacker view or alter information. “At this pace, 2026 is on track to affirm that 1,000+ Patch Tuesday CVEs annually is the norm,” according to Tenable’s Satnam Narang.