M Files Corporation"
Products
19- 32 CVEs
- 12 CVEs
- 9 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 0 CVEs
Recent CVEs
62| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-10127 | Cri | 0.64 | 9.8 | 0.01 | Nov 20, 2024 | Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration. | ||
| CVE-2023-0213 | Hig | 0.57 | 8.8 | 0.00 | Mar 29, 2023 | Elevation of privilege issue in M-Files Installer versions before 22.6 on Windows allows user to gain SYSTEM privileges via DLL hijacking. | ||
| CVE-2025-13008 | Hig | 0.56 | — | 0.01 | Dec 19, 2025 | An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users. | ||
| CVE-2023-5523 | Hig | 0.56 | 8.6 | 0.00 | Oct 20, 2023 | Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution | ||
| CVE-2023-5524 | Hig | 0.53 | 8.2 | 0.00 | Oct 20, 2023 | Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution via specific file types | ||
| CVE-2022-39018 | Hig | 0.53 | 8.2 | 0.00 | Oct 31, 2022 | Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL. | ||
| CVE-2022-39017 | Hig | 0.53 | 8.2 | 0.00 | Oct 31, 2022 | Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments. | ||
| CVE-2022-39016 | Hig | 0.53 | 8.2 | 0.00 | Oct 31, 2022 | Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload. | ||
| CVE-2023-3406 | Hig | 0.50 | 7.7 | 0.01 | Aug 25, 2023 | Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server | ||
| CVE-2025-0635 | Hig | 0.49 | 7.5 | 0.01 | Jan 23, 2025 | Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions. | ||
| CVE-2024-4056 | Hig | 0.49 | 7.5 | 0.01 | Apr 26, 2024 | Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources. | ||
| CVE-2023-6912 | Hig | 0.49 | 7.5 | 0.01 | Dec 20, 2023 | Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords. | ||
| CVE-2023-3405 | Hig | 0.49 | 7.5 | 0.01 | Jun 27, 2023 | Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service | ||
| CVE-2023-2480 | Hig | 0.49 | 7.5 | 0.00 | May 25, 2023 | Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications | ||
| CVE-2023-0383 | Hig | 0.49 | 7.5 | 0.01 | Apr 20, 2023 | User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption. | ||
| CVE-2021-41807 | Hig | 0.49 | 7.5 | 0.01 | Jan 18, 2022 | Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. | ||
| CVE-2021-37253 | Hig | 0.49 | 7.5 | 0.03 | Dec 5, 2021 | M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual… | ||
| CVE-2021-37254 | Hig | 0.49 | 7.5 | 0.01 | Oct 28, 2021 | In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server. | ||
| CVE-2026-0932 | Hig | 0.47 | 7.3 | 0.00 | Apr 1, 2026 | Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs. | ||
| CVE-2023-4479 | Hig | 0.47 | 7.3 | 0.00 | Mar 4, 2024 | Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period. |
- risk 0.64cvss 9.8epss 0.01
Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.
- risk 0.57cvss 8.8epss 0.00
Elevation of privilege issue in M-Files Installer versions before 22.6 on Windows allows user to gain SYSTEM privileges via DLL hijacking.
- risk 0.56cvss —epss 0.01
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
- risk 0.56cvss 8.6epss 0.00
Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution
- risk 0.53cvss 8.2epss 0.00
Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution via specific file types
- risk 0.53cvss 8.2epss 0.00
Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL.
- risk 0.53cvss 8.2epss 0.00
Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments.
- risk 0.53cvss 8.2epss 0.00
Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload.
- risk 0.50cvss 7.7epss 0.01
Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server
- risk 0.49cvss 7.5epss 0.01
Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.
- risk 0.49cvss 7.5epss 0.01
Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.
- risk 0.49cvss 7.5epss 0.01
Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.
- risk 0.49cvss 7.5epss 0.01
Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service
- risk 0.49cvss 7.5epss 0.00
Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications
- risk 0.49cvss 7.5epss 0.01
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption.
- risk 0.49cvss 7.5epss 0.01
Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.
- risk 0.49cvss 7.5epss 0.03
M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual…
- risk 0.49cvss 7.5epss 0.01
In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server.
- risk 0.47cvss 7.3epss 0.00
Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
- risk 0.47cvss 7.3epss 0.00
Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period.