VYPR
Vendor

M Files Corporation"

Products
19
CVEs
62
Across products
72
Status
Private

Products

19

Recent CVEs

62
View all 62 CVEs →
  • CVE-2024-10127CriNov 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.

  • CVE-2023-0213HigMar 29, 2023
    risk 0.57cvss 8.8epss 0.00

    Elevation of privilege issue in M-Files Installer versions before 22.6 on Windows allows user to gain SYSTEM privileges via DLL hijacking.

  • CVE-2025-13008HigDec 19, 2025
    risk 0.56cvss epss 0.01

    An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.

  • CVE-2023-5523HigOct 20, 2023
    risk 0.56cvss 8.6epss 0.00

    Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution

  • CVE-2023-5524HigOct 20, 2023
    risk 0.53cvss 8.2epss 0.00

    Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution via specific file types

  • CVE-2022-39018HigOct 31, 2022
    risk 0.53cvss 8.2epss 0.00

    Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL.

  • CVE-2022-39017HigOct 31, 2022
    risk 0.53cvss 8.2epss 0.00

    Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments.

  • CVE-2022-39016HigOct 31, 2022
    risk 0.53cvss 8.2epss 0.00

    Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload.

  • CVE-2023-3406HigAug 25, 2023
    risk 0.50cvss 7.7epss 0.01

    Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server

  • CVE-2025-0635HigJan 23, 2025
    risk 0.49cvss 7.5epss 0.01

    Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.

  • CVE-2024-4056HigApr 26, 2024
    risk 0.49cvss 7.5epss 0.01

    Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.

  • CVE-2023-6912HigDec 20, 2023
    risk 0.49cvss 7.5epss 0.01

    Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.

  • CVE-2023-3405HigJun 27, 2023
    risk 0.49cvss 7.5epss 0.01

    Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service

  • CVE-2023-2480HigMay 25, 2023
    risk 0.49cvss 7.5epss 0.00

    Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications

  • CVE-2023-0383HigApr 20, 2023
    risk 0.49cvss 7.5epss 0.01

    User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption.

  • CVE-2021-41807HigJan 18, 2022
    risk 0.49cvss 7.5epss 0.01

    Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.

  • CVE-2021-37253HigDec 5, 2021
    risk 0.49cvss 7.5epss 0.03

    M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual…

  • CVE-2021-37254HigOct 28, 2021
    risk 0.49cvss 7.5epss 0.01

    In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server.

  • CVE-2026-0932HigApr 1, 2026
    risk 0.47cvss 7.3epss 0.00

    Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.

  • CVE-2023-4479HigMar 4, 2024
    risk 0.47cvss 7.3epss 0.00

    Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period.