CVE-2026-0663
published 2026-01-21CVE-2026-0663: Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash…
PriorityP424medium4.9CVSS 3.1
AVNACLPRHUINSUCNINAH
EPSS
0.37%
29.2th percentile
Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| m-files | m-files_server | < 26.1.15632.3 | 26.1.15632.3 |
| m-files_corporation | m-files_server | < 26.1.15632.3 | 26.1.15632.3 |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-13008 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-13008 [HIGH] CVE-2025-13008 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13008 :
M-Files Server vulnerability analysis and mitigation
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
Source : NVD
## 8.6
Score
Published December 19, 2025
Severity HIGH
CNA Score 8.6
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
NVD
Windows Has Fix Added at: Dec 21, 2025
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-0932 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-0932 [HIGH] CVE-2026-0932 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0932 :
M-Files Server vulnerability analysis and mitigation
Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
Source : NVD
## 6.9
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity HIGH Has Fix Added at: Apr 02, 2026
Windows Severity HIGH Has Fix Added at:
Wiz
CVE-2025-14318 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-14318 [HIGH] CVE-2025-14318 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14318 :
M-Files Server vulnerability analysis and mitigation
Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.
Source : NVD
## 5.3
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity MEDIUM Has Fix Added at: Dec 21, 2025
Windows Severity MEDIUM Has Fix Added at: Jan 08, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-0663 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-0663 [HIGH] CVE-2026-0663 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0663 :
M-Files Server vulnerability analysis and mitigation
Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.
Source : NVD
## 6.9
Score
Published January 21, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity MEDIUM Has Fix Added at: Jan 22, 2026
Windows Severity MEDIUM Has Fix Added at: Feb 04, 2026
##
Wiz
CVE-2025-14267 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-14267 [HIGH] CVE-2025-14267 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14267 :
M-Files Server vulnerability analysis and mitigation
Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7
Source : NVD
## 5.6
Score
Published December 19, 2025
Severity MEDIUM
CNA Score 5.6
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity MEDIUM Has Fix Added at: Dec 21, 2025
Windows Severity MEDIUM Has Fix Added at: Jan 08, 2026
## Get a CVE risk assessment
Get a priori
Bugzilla
CVE-2026-55895 vim: Vim: Arbitrary code execution via Vimscript code injection in netrw plugin [fedora-all]
bugzilla·2026-06-30·CVSS 7.8
CVE-2026-55895 [HIGH] CVE-2026-55895 vim: Vim: Arbitrary code execution via Vimscript code injection in netrw plugin [fedora-all]
CVE-2026-55895 vim: Vim: Arbitrary code execution via Vimscript code injection in netrw plugin [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to ter
2026-01-21
Published