VYPR

Vendor CVEs

M Files Corporation"

All CVEs

62 total · sorted by risk
  • CVE-2024-10127CriNov 20, 2024
    risk 0.64cvss 9.8epss 0.01

    Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.

  • CVE-2023-0213HigMar 29, 2023
    risk 0.57cvss 8.8epss 0.00

    Elevation of privilege issue in M-Files Installer versions before 22.6 on Windows allows user to gain SYSTEM privileges via DLL hijacking.

  • CVE-2025-13008HigDec 19, 2025
    risk 0.56cvss epss 0.01

    An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.

  • CVE-2023-5523HigOct 20, 2023
    risk 0.56cvss 8.6epss 0.00

    Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution

  • CVE-2023-5524HigOct 20, 2023
    risk 0.53cvss 8.2epss 0.00

    Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution via specific file types

  • CVE-2022-39018HigOct 31, 2022
    risk 0.53cvss 8.2epss 0.00

    Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL.

  • CVE-2022-39017HigOct 31, 2022
    risk 0.53cvss 8.2epss 0.00

    Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments.

  • CVE-2022-39016HigOct 31, 2022
    risk 0.53cvss 8.2epss 0.00

    Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload.

  • CVE-2023-3406HigAug 25, 2023
    risk 0.50cvss 7.7epss 0.01

    Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server

  • CVE-2025-0635HigJan 23, 2025
    risk 0.49cvss 7.5epss 0.01

    Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.

  • CVE-2024-4056HigApr 26, 2024
    risk 0.49cvss 7.5epss 0.01

    Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.

  • CVE-2023-6912HigDec 20, 2023
    risk 0.49cvss 7.5epss 0.01

    Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.

  • CVE-2023-3405HigJun 27, 2023
    risk 0.49cvss 7.5epss 0.01

    Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service

  • CVE-2023-2480HigMay 25, 2023
    risk 0.49cvss 7.5epss 0.00

    Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications

  • CVE-2023-0383HigApr 20, 2023
    risk 0.49cvss 7.5epss 0.01

    User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption.

  • CVE-2021-41807HigJan 18, 2022
    risk 0.49cvss 7.5epss 0.01

    Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.

  • CVE-2021-37253HigDec 5, 2021
    risk 0.49cvss 7.5epss 0.03

    M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual…

  • CVE-2021-37254HigOct 28, 2021
    risk 0.49cvss 7.5epss 0.01

    In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server.

  • CVE-2026-0932HigApr 1, 2026
    risk 0.47cvss 7.3epss 0.00

    Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.

  • CVE-2023-4479HigMar 4, 2024
    risk 0.47cvss 7.3epss 0.00

    Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period.

  • CVE-2023-2325HigOct 20, 2023
    risk 0.47cvss 7.3epss 0.00

    Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.

  • CVE-2026-0983HigMay 18, 2026
    risk 0.46cvss epss 0.00

    Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash

  • CVE-2025-3086HigApr 4, 2025
    risk 0.46cvss 7.1epss 0.00

    Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service

  • CVE-2025-5964MedJun 15, 2025
    risk 0.43cvss 6.5epss 0.10

    A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server.

  • CVE-2024-6789MedAug 27, 2024
    risk 0.42cvss 6.5epss 0.01

    A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files

  • CVE-2023-6910MedDec 20, 2023
    risk 0.42cvss 6.5epss 0.01

    A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests.

  • CVE-2023-3425MedAug 25, 2023
    risk 0.42cvss 6.5epss 0.01

    Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.

  • CVE-2023-0384MedApr 20, 2023
    risk 0.42cvss 6.5epss 0.01

    User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption for a scheduled job.

  • CVE-2023-0382MedApr 5, 2023
    risk 0.42cvss 6.5epss 0.01

    User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption.

  • CVE-2022-3284MedMar 6, 2023
    risk 0.42cvss 6.5epss 0.01

    Download key for a file in a vault was passed in an insecure way that could easily be logged in M-Files New Web in M-Files before 22.11.12011.0. This issue affects M-Files New Web: before 22.11.12011.0.

  • CVE-2022-4264MedDec 9, 2022
    risk 0.42cvss 6.5epss 0.01

    Incorrect Privilege Assignment in M-Files Web (Classic) in M-Files before 22.8.11691.0 allows low privilege user to change some configuration.

  • CVE-2022-39019MedOct 31, 2022
    risk 0.41cvss 6.3epss 0.00

    Broken access controls on PDFtron WebviewerUI in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to upload malicious files to the application server.

  • CVE-2023-6117MedNov 22, 2023
    risk 0.37cvss 5.7epss 0.01

    A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the M-Files server before 23.11.13156.0 which allows attackers to execute DoS attacks.

  • CVE-2025-2091MedJun 16, 2025
    risk 0.35cvss 5.4epss 0.00

    An open redirection vulnerability in M-Files mobile applications for Android and iOS prior to version 25.6.0 allows attackers to use maliciously crafted PDF files to trick other users into making requests to untrusted URLs.

  • CVE-2025-3087MedApr 4, 2025
    risk 0.35cvss 5.4epss 0.00

    Stored XSS in M-Files Web versions from 25.1.14445.5 to 25.2.14524.4 allows an authenticated user to run scripts

  • CVE-2024-9174MedOct 2, 2024
    risk 0.35cvss 5.4epss 0.00

    Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI

  • CVE-2024-6881MedJul 29, 2024
    risk 0.35cvss 5.4epss 0.00

    Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session

  • CVE-2024-6124MedJul 29, 2024
    risk 0.35cvss 5.4epss 0.00

    Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session

  • CVE-2024-5142MedMay 24, 2024
    risk 0.35cvss 5.4epss 0.00

    Stored Cross-Site Scripting vulnerability in Social Module in M-Files Hubshare before version 5.0.6.0 allows authenticated attacker to run scripts in other users browser

  • CVE-2023-6239MedNov 28, 2023
    risk 0.35cvss 5.4epss 0.01

    Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized…

  • CVE-2024-11176MedNov 20, 2024
    risk 0.34cvss epss 0.00

    Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect evaluation of effective permissions.

  • CVE-2024-9333MedOct 2, 2024
    risk 0.34cvss epss 0.00

    Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation

  • CVE-2022-1911MedNov 30, 2022
    risk 0.34cvss 5.3epss 0.01

    Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating system.

  • CVE-2021-41810MedMay 2, 2022
    risk 0.34cvss 5.2epss 0.01

    Script injection in M-Files Admin versions before 22.2.11051.0, allows executing stored script in admin tool. M-Files Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is…

  • CVE-2025-2159MedApr 4, 2025
    risk 0.33cvss epss 0.00

    Stored XSS in Desktop UI in M-Files Server Admin tool before version 25.3.14681.7 on Windows allows authenticated local user to run scripts via UI

  • CVE-2022-4862MedMar 6, 2023
    risk 0.33cvss 5.0epss 0.00

    Rendering of HTML provided by another authenticated user is possible in browser on M-Files Web before 22.12.12140.3. This allows the content to steal user sensitive information. This issue affects M-Files New Web: before 22.12.12140.3.

  • CVE-2025-0648MedJan 23, 2025
    risk 0.32cvss 4.9epss 0.01

    Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3 allows a highly privileged attacker to cause denial of service via configuration change.

  • CVE-2025-0619MedJan 23, 2025
    risk 0.32cvss 4.9epss 0.00

    Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords

  • CVE-2022-4861MedDec 30, 2022
    risk 0.31cvss 4.8epss 0.01

    Incorrect implementation in authentication protocol in M-Files Client before 22.5.11356.0 allows high privileged user to get other users tokens to another resource.

  • CVE-2022-4858MedDec 30, 2022
    risk 0.29cvss 4.4epss 0.00

    Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive tokens from logs, if specific configurations were set.

Page 1 of 2