Vendor CVEs
M Files Corporation"
All CVEs
62 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-10127 | Cri | 0.64 | 9.8 | 0.01 | Nov 20, 2024 | Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration. | ||
| CVE-2023-0213 | Hig | 0.57 | 8.8 | 0.00 | Mar 29, 2023 | Elevation of privilege issue in M-Files Installer versions before 22.6 on Windows allows user to gain SYSTEM privileges via DLL hijacking. | ||
| CVE-2025-13008 | Hig | 0.56 | — | 0.01 | Dec 19, 2025 | An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users. | ||
| CVE-2023-5523 | Hig | 0.56 | 8.6 | 0.00 | Oct 20, 2023 | Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution | ||
| CVE-2023-5524 | Hig | 0.53 | 8.2 | 0.00 | Oct 20, 2023 | Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution via specific file types | ||
| CVE-2022-39018 | Hig | 0.53 | 8.2 | 0.00 | Oct 31, 2022 | Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL. | ||
| CVE-2022-39017 | Hig | 0.53 | 8.2 | 0.00 | Oct 31, 2022 | Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments. | ||
| CVE-2022-39016 | Hig | 0.53 | 8.2 | 0.00 | Oct 31, 2022 | Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload. | ||
| CVE-2023-3406 | Hig | 0.50 | 7.7 | 0.01 | Aug 25, 2023 | Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server | ||
| CVE-2025-0635 | Hig | 0.49 | 7.5 | 0.01 | Jan 23, 2025 | Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions. | ||
| CVE-2024-4056 | Hig | 0.49 | 7.5 | 0.01 | Apr 26, 2024 | Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources. | ||
| CVE-2023-6912 | Hig | 0.49 | 7.5 | 0.01 | Dec 20, 2023 | Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords. | ||
| CVE-2023-3405 | Hig | 0.49 | 7.5 | 0.01 | Jun 27, 2023 | Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service | ||
| CVE-2023-2480 | Hig | 0.49 | 7.5 | 0.00 | May 25, 2023 | Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications | ||
| CVE-2023-0383 | Hig | 0.49 | 7.5 | 0.01 | Apr 20, 2023 | User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption. | ||
| CVE-2021-41807 | Hig | 0.49 | 7.5 | 0.01 | Jan 18, 2022 | Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. | ||
| CVE-2021-37253 | Hig | 0.49 | 7.5 | 0.03 | Dec 5, 2021 | M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual… | ||
| CVE-2021-37254 | Hig | 0.49 | 7.5 | 0.01 | Oct 28, 2021 | In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server. | ||
| CVE-2026-0932 | Hig | 0.47 | 7.3 | 0.00 | Apr 1, 2026 | Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs. | ||
| CVE-2023-4479 | Hig | 0.47 | 7.3 | 0.00 | Mar 4, 2024 | Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period. | ||
| CVE-2023-2325 | Hig | 0.47 | 7.3 | 0.00 | Oct 20, 2023 | Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document. | ||
| CVE-2026-0983 | Hig | 0.46 | — | 0.00 | May 18, 2026 | Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash | ||
| CVE-2025-3086 | Hig | 0.46 | 7.1 | 0.00 | Apr 4, 2025 | Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service | ||
| CVE-2025-5964 | Med | 0.43 | 6.5 | 0.10 | Jun 15, 2025 | A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server. | ||
| CVE-2024-6789 | Med | 0.42 | 6.5 | 0.01 | Aug 27, 2024 | A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files | ||
| CVE-2023-6910 | Med | 0.42 | 6.5 | 0.01 | Dec 20, 2023 | A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests. | ||
| CVE-2023-3425 | Med | 0.42 | 6.5 | 0.01 | Aug 25, 2023 | Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory. | ||
| CVE-2023-0384 | Med | 0.42 | 6.5 | 0.01 | Apr 20, 2023 | User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption for a scheduled job. | ||
| CVE-2023-0382 | Med | 0.42 | 6.5 | 0.01 | Apr 5, 2023 | User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption. | ||
| CVE-2022-3284 | Med | 0.42 | 6.5 | 0.01 | Mar 6, 2023 | Download key for a file in a vault was passed in an insecure way that could easily be logged in M-Files New Web in M-Files before 22.11.12011.0. This issue affects M-Files New Web: before 22.11.12011.0. | ||
| CVE-2022-4264 | Med | 0.42 | 6.5 | 0.01 | Dec 9, 2022 | Incorrect Privilege Assignment in M-Files Web (Classic) in M-Files before 22.8.11691.0 allows low privilege user to change some configuration. | ||
| CVE-2022-39019 | Med | 0.41 | 6.3 | 0.00 | Oct 31, 2022 | Broken access controls on PDFtron WebviewerUI in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to upload malicious files to the application server. | ||
| CVE-2023-6117 | Med | 0.37 | 5.7 | 0.01 | Nov 22, 2023 | A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the M-Files server before 23.11.13156.0 which allows attackers to execute DoS attacks. | ||
| CVE-2025-2091 | Med | 0.35 | 5.4 | 0.00 | Jun 16, 2025 | An open redirection vulnerability in M-Files mobile applications for Android and iOS prior to version 25.6.0 allows attackers to use maliciously crafted PDF files to trick other users into making requests to untrusted URLs. | ||
| CVE-2025-3087 | Med | 0.35 | 5.4 | 0.00 | Apr 4, 2025 | Stored XSS in M-Files Web versions from 25.1.14445.5 to 25.2.14524.4 allows an authenticated user to run scripts | ||
| CVE-2024-9174 | Med | 0.35 | 5.4 | 0.00 | Oct 2, 2024 | Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI | ||
| CVE-2024-6881 | Med | 0.35 | 5.4 | 0.00 | Jul 29, 2024 | Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session | ||
| CVE-2024-6124 | Med | 0.35 | 5.4 | 0.00 | Jul 29, 2024 | Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session | ||
| CVE-2024-5142 | Med | 0.35 | 5.4 | 0.00 | May 24, 2024 | Stored Cross-Site Scripting vulnerability in Social Module in M-Files Hubshare before version 5.0.6.0 allows authenticated attacker to run scripts in other users browser | ||
| CVE-2023-6239 | Med | 0.35 | 5.4 | 0.01 | Nov 28, 2023 | Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized… | ||
| CVE-2024-11176 | Med | 0.34 | — | 0.00 | Nov 20, 2024 | Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect evaluation of effective permissions. | ||
| CVE-2024-9333 | Med | 0.34 | — | 0.00 | Oct 2, 2024 | Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation | ||
| CVE-2022-1911 | Med | 0.34 | 5.3 | 0.01 | Nov 30, 2022 | Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating system. | ||
| CVE-2021-41810 | Med | 0.34 | 5.2 | 0.01 | May 2, 2022 | Script injection in M-Files Admin versions before 22.2.11051.0, allows executing stored script in admin tool. M-Files Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is… | ||
| CVE-2025-2159 | Med | 0.33 | — | 0.00 | Apr 4, 2025 | Stored XSS in Desktop UI in M-Files Server Admin tool before version 25.3.14681.7 on Windows allows authenticated local user to run scripts via UI | ||
| CVE-2022-4862 | Med | 0.33 | 5.0 | 0.00 | Mar 6, 2023 | Rendering of HTML provided by another authenticated user is possible in browser on M-Files Web before 22.12.12140.3. This allows the content to steal user sensitive information. This issue affects M-Files New Web: before 22.12.12140.3. | ||
| CVE-2025-0648 | Med | 0.32 | 4.9 | 0.01 | Jan 23, 2025 | Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3 allows a highly privileged attacker to cause denial of service via configuration change. | ||
| CVE-2025-0619 | Med | 0.32 | 4.9 | 0.00 | Jan 23, 2025 | Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords | ||
| CVE-2022-4861 | Med | 0.31 | 4.8 | 0.01 | Dec 30, 2022 | Incorrect implementation in authentication protocol in M-Files Client before 22.5.11356.0 allows high privileged user to get other users tokens to another resource. | ||
| CVE-2022-4858 | Med | 0.29 | 4.4 | 0.00 | Dec 30, 2022 | Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive tokens from logs, if specific configurations were set. |
- risk 0.64cvss 9.8epss 0.01
Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.
- risk 0.57cvss 8.8epss 0.00
Elevation of privilege issue in M-Files Installer versions before 22.6 on Windows allows user to gain SYSTEM privileges via DLL hijacking.
- risk 0.56cvss —epss 0.01
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
- risk 0.56cvss 8.6epss 0.00
Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution
- risk 0.53cvss 8.2epss 0.00
Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution via specific file types
- risk 0.53cvss 8.2epss 0.00
Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL.
- risk 0.53cvss 8.2epss 0.00
Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments.
- risk 0.53cvss 8.2epss 0.00
Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload.
- risk 0.50cvss 7.7epss 0.01
Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server
- risk 0.49cvss 7.5epss 0.01
Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.
- risk 0.49cvss 7.5epss 0.01
Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.
- risk 0.49cvss 7.5epss 0.01
Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.
- risk 0.49cvss 7.5epss 0.01
Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service
- risk 0.49cvss 7.5epss 0.00
Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications
- risk 0.49cvss 7.5epss 0.01
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption.
- risk 0.49cvss 7.5epss 0.01
Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.
- risk 0.49cvss 7.5epss 0.03
M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual…
- risk 0.49cvss 7.5epss 0.01
In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server.
- risk 0.47cvss 7.3epss 0.00
Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
- risk 0.47cvss 7.3epss 0.00
Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period.
- risk 0.47cvss 7.3epss 0.00
Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.
- risk 0.46cvss —epss 0.00
Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash
- risk 0.46cvss 7.1epss 0.00
Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service
- risk 0.43cvss 6.5epss 0.10
A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server.
- risk 0.42cvss 6.5epss 0.01
A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files
- risk 0.42cvss 6.5epss 0.01
A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests.
- risk 0.42cvss 6.5epss 0.01
Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.
- risk 0.42cvss 6.5epss 0.01
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption for a scheduled job.
- risk 0.42cvss 6.5epss 0.01
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption.
- risk 0.42cvss 6.5epss 0.01
Download key for a file in a vault was passed in an insecure way that could easily be logged in M-Files New Web in M-Files before 22.11.12011.0. This issue affects M-Files New Web: before 22.11.12011.0.
- risk 0.42cvss 6.5epss 0.01
Incorrect Privilege Assignment in M-Files Web (Classic) in M-Files before 22.8.11691.0 allows low privilege user to change some configuration.
- risk 0.41cvss 6.3epss 0.00
Broken access controls on PDFtron WebviewerUI in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to upload malicious files to the application server.
- risk 0.37cvss 5.7epss 0.01
A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the M-Files server before 23.11.13156.0 which allows attackers to execute DoS attacks.
- risk 0.35cvss 5.4epss 0.00
An open redirection vulnerability in M-Files mobile applications for Android and iOS prior to version 25.6.0 allows attackers to use maliciously crafted PDF files to trick other users into making requests to untrusted URLs.
- risk 0.35cvss 5.4epss 0.00
Stored XSS in M-Files Web versions from 25.1.14445.5 to 25.2.14524.4 allows an authenticated user to run scripts
- risk 0.35cvss 5.4epss 0.00
Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI
- risk 0.35cvss 5.4epss 0.00
Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session
- risk 0.35cvss 5.4epss 0.00
Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session
- risk 0.35cvss 5.4epss 0.00
Stored Cross-Site Scripting vulnerability in Social Module in M-Files Hubshare before version 5.0.6.0 allows authenticated attacker to run scripts in other users browser
- risk 0.35cvss 5.4epss 0.01
Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized…
- risk 0.34cvss —epss 0.00
Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect evaluation of effective permissions.
- risk 0.34cvss —epss 0.00
Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation
- risk 0.34cvss 5.3epss 0.01
Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating system.
- risk 0.34cvss 5.2epss 0.01
Script injection in M-Files Admin versions before 22.2.11051.0, allows executing stored script in admin tool. M-Files Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is…
- risk 0.33cvss —epss 0.00
Stored XSS in Desktop UI in M-Files Server Admin tool before version 25.3.14681.7 on Windows allows authenticated local user to run scripts via UI
- risk 0.33cvss 5.0epss 0.00
Rendering of HTML provided by another authenticated user is possible in browser on M-Files Web before 22.12.12140.3. This allows the content to steal user sensitive information. This issue affects M-Files New Web: before 22.12.12140.3.
- risk 0.32cvss 4.9epss 0.01
Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3 allows a highly privileged attacker to cause denial of service via configuration change.
- risk 0.32cvss 4.9epss 0.00
Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords
- risk 0.31cvss 4.8epss 0.01
Incorrect implementation in authentication protocol in M-Files Client before 22.5.11356.0 allows high privileged user to get other users tokens to another resource.
- risk 0.29cvss 4.4epss 0.00
Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive tokens from logs, if specific configurations were set.
Page 1 of 2