VYPR
Vendor

Element Hq

Products
9
CVEs
30
Across products
33
Status
Private

Products

9

Recent CVEs

30
View all 30 CVEs →
  • CVE-2026-24044CriFeb 12, 2026
    risk 0.60cvss epss 0.00

    Element Server Suite Community Edition (ESS Community) deploys a Matrix stack using the provided Helm charts and Kubernetes distribution. The ESS Community Helm Chart secrets initialization hook (using matrix-tools container before 0.5.7) is using an insecure Matrix server key…

  • CVE-2025-62425HigOct 16, 2025
    risk 0.54cvss 8.3epss 0.00

    MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to…

  • CVE-2026-48007higJun 11, 2026
    risk 0.39cvss epss 0.00

    ### Impact Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a `posthog` key in config.json or by the `posthogApiHost` and `posthogApiKey` URL parameters. Several fields of this data (`$initial_person_info`,…

  • CVE-2024-47779HigOct 15, 2024
    risk 0.39cvss epss 0.00

    Element is a Matrix web client built using the Matrix React SDK. Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been…

  • CVE-2024-47771HigOct 15, 2024
    risk 0.39cvss epss 0.01

    Element Desktop is a Matrix client for desktop platforms. Element Desktop versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified…

  • CVE-2025-27599MedApr 18, 2025
    risk 0.35cvss 6.5epss 0.00

    Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and…

  • CVE-2026-45078MedMay 28, 2026
    risk 0.29cvss 5.5epss 0.00

    Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.

  • CVE-2025-61672MedOct 8, 2025
    risk 0.27cvss epss 0.00

    Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation…

  • CVE-2025-31127MedApr 3, 2025
    risk 0.27cvss 5.3epss 0.00

    Element X Android is a Matrix Android Client provided by element.io. In Element X Android versions between 0.4.16 and 25.03.3, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an…

  • CVE-2025-31126MedApr 3, 2025
    risk 0.27cvss 5.3epss 0.00

    Element X iOS is a Matrix iOS Client provided by Element. In Element X iOS version between 1.6.13 and 25.03.7, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call.…

  • CVE-2024-51750MedNov 12, 2024
    risk 0.26cvss 5.0epss 0.00

    Element is a Matrix web client built using the Matrix React SDK. A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them. This was patched in Element Web and…

  • CVE-2024-53867MedDec 3, 2024
    risk 0.21cvss 4.3epss 0.00

    Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.

  • CVE-2025-32026LowApr 8, 2025
    risk 0.18cvss 3.8epss 0.00

    Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media…

  • CVE-2024-51749LowNov 12, 2024
    risk 0.16cvss 3.5epss 0.00

    Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once…

  • CVE-2026-45076LowMay 28, 2026
    risk 0.11cvss 2.7epss 0.00

    Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room…

  • CVE-2025-59161LowSep 16, 2025
    risk 0.11cvss epss 0.00

    Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room's entry in the room list…

  • CVE-2025-30355Mar 27, 2025
    risk 0.00cvss epss 0.01

    Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse…

  • CVE-2025-27606Mar 14, 2025
    risk 0.00cvss epss 0.00

    Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can…

  • CVE-2024-37303Dec 3, 2024
    risk 0.00cvss epss 0.00

    Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for…

  • CVE-2024-37302Dec 3, 2024
    risk 0.00cvss epss 0.01

    Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate…