CVE-2025-14318
published 2025-12-18CVE-2025-14318: Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download…
PriorityP425medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.28%
19.4th percentile
Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| m-files | m-files_server | < 25.12.15491.7 | 25.12.15491.7 |
| m-files_corporation | m-files_server | < 25.12.15491.7 | 25.12.15491.7 |
| msrc | azl3_samba_4.18.3-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_samba_4.12.5-6_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_msrc4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h8c5-64wc-h8mf: Improper access checks in M-Files Server before 25
ghsa_unreviewed·2025-12-18
CVE-2025-14318 [MEDIUM] CWE-863 GHSA-h8c5-64wc-h8mf: Improper access checks in M-Files Server before 25
Improper access checks in M-Files Server before 25.12 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.
Microsoft
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be un
vendor_msrc·2020-12-08·CVSS 4.3
CVE-2020-14318 [MEDIUM] CWE-266 A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be un
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is iden
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-13008 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-13008 [HIGH] CVE-2025-13008 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13008 :
M-Files Server vulnerability analysis and mitigation
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
Source : NVD
## 8.6
Score
Published December 19, 2025
Severity HIGH
CNA Score 8.6
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
NVD
Windows Has Fix Added at: Dec 21, 2025
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-0932 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-0932 [HIGH] CVE-2026-0932 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0932 :
M-Files Server vulnerability analysis and mitigation
Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
Source : NVD
## 6.9
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity HIGH Has Fix Added at: Apr 02, 2026
Windows Severity HIGH Has Fix Added at:
Wiz
CVE-2025-14318 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-14318 [HIGH] CVE-2025-14318 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14318 :
M-Files Server vulnerability analysis and mitigation
Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.
Source : NVD
## 5.3
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity MEDIUM Has Fix Added at: Dec 21, 2025
Windows Severity MEDIUM Has Fix Added at: Jan 08, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-0663 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-0663 [HIGH] CVE-2026-0663 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0663 :
M-Files Server vulnerability analysis and mitigation
Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.
Source : NVD
## 6.9
Score
Published January 21, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity MEDIUM Has Fix Added at: Jan 22, 2026
Windows Severity MEDIUM Has Fix Added at: Feb 04, 2026
##
Wiz
CVE-2025-14267 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-14267 [HIGH] CVE-2025-14267 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14267 :
M-Files Server vulnerability analysis and mitigation
Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7
Source : NVD
## 5.6
Score
Published December 19, 2025
Severity MEDIUM
CNA Score 5.6
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity MEDIUM Has Fix Added at: Dec 21, 2025
Windows Severity MEDIUM Has Fix Added at: Jan 08, 2026
## Get a CVE risk assessment
Get a priori
2025-12-18
Published