M-Files Server
CVEs (32)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-10127 | Cri | 0.64 | 9.8 | 0.01 | Nov 20, 2024 | Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration. | ||
| CVE-2025-13008 | Hig | 0.56 | — | 0.01 | Dec 19, 2025 | An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users. | ||
| CVE-2025-0635 | Hig | 0.49 | 7.5 | 0.01 | Jan 23, 2025 | Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions. | ||
| CVE-2024-4056 | Hig | 0.49 | 7.5 | 0.01 | Apr 26, 2024 | Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources. | ||
| CVE-2023-6912 | Hig | 0.49 | 7.5 | 0.01 | Dec 20, 2023 | Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords. | ||
| CVE-2023-3405 | Hig | 0.49 | 7.5 | 0.01 | Jun 27, 2023 | Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service | ||
| CVE-2023-0383 | Hig | 0.49 | 7.5 | 0.01 | Apr 20, 2023 | User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption. | ||
| CVE-2021-41807 | Hig | 0.49 | 7.5 | 0.01 | Jan 18, 2022 | Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. | ||
| CVE-2026-0932 | Hig | 0.47 | 7.3 | 0.00 | Apr 1, 2026 | Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs. | ||
| CVE-2026-0983 | Hig | 0.46 | — | 0.00 | May 18, 2026 | Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash | ||
| CVE-2025-3086 | Hig | 0.46 | 7.1 | 0.00 | Apr 4, 2025 | Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service | ||
| CVE-2025-5964 | Med | 0.43 | 6.5 | 0.10 | Jun 15, 2025 | A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server. | ||
| CVE-2024-6789 | Med | 0.42 | 6.5 | 0.01 | Aug 27, 2024 | A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files | ||
| CVE-2023-6910 | Med | 0.42 | 6.5 | 0.01 | Dec 20, 2023 | A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests. | ||
| CVE-2023-3425 | Med | 0.42 | 6.5 | 0.01 | Aug 25, 2023 | Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory. | ||
| CVE-2023-0384 | Med | 0.42 | 6.5 | 0.01 | Apr 20, 2023 | User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption for a scheduled job. | ||
| CVE-2023-0382 | Med | 0.42 | 6.5 | 0.01 | Apr 5, 2023 | User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption. | ||
| CVE-2023-6117 | Med | 0.37 | 5.7 | 0.01 | Nov 22, 2023 | A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the M-Files server before 23.11.13156.0 which allows attackers to execute DoS attacks. | ||
| CVE-2023-6239 | Med | 0.35 | 5.4 | 0.01 | Nov 28, 2023 | Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized… | ||
| CVE-2022-1911 | Med | 0.34 | 5.3 | 0.01 | Nov 30, 2022 | Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating system. |
- risk 0.64cvss 9.8epss 0.01
Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.
- risk 0.56cvss —epss 0.01
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
- risk 0.49cvss 7.5epss 0.01
Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.
- risk 0.49cvss 7.5epss 0.01
Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.
- risk 0.49cvss 7.5epss 0.01
Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.
- risk 0.49cvss 7.5epss 0.01
Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service
- risk 0.49cvss 7.5epss 0.01
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption.
- risk 0.49cvss 7.5epss 0.01
Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.
- risk 0.47cvss 7.3epss 0.00
Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
- risk 0.46cvss —epss 0.00
Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash
- risk 0.46cvss 7.1epss 0.00
Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service
- risk 0.43cvss 6.5epss 0.10
A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server.
- risk 0.42cvss 6.5epss 0.01
A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files
- risk 0.42cvss 6.5epss 0.01
A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests.
- risk 0.42cvss 6.5epss 0.01
Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.
- risk 0.42cvss 6.5epss 0.01
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption for a scheduled job.
- risk 0.42cvss 6.5epss 0.01
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption.
- risk 0.37cvss 5.7epss 0.01
A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the M-Files server before 23.11.13156.0 which allows attackers to execute DoS attacks.
- risk 0.35cvss 5.4epss 0.01
Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized…
- risk 0.34cvss 5.3epss 0.01
Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating system.
Page 1 of 2