CVE-2026-0932
published 2026-04-01CVE-2026-0932: Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an…
PriorityP349high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
0.19%
9.3th percentile
Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| m-files | m-files_server | < 26.3.15818.5 | 26.3.15818.5 |
| m-files_corporation | m-files_server | < 26.3.15818.5 | 26.3.15818.5 |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-13008 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-13008 [HIGH] CVE-2025-13008 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13008 :
M-Files Server vulnerability analysis and mitigation
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
Source : NVD
## 8.6
Score
Published December 19, 2025
Severity HIGH
CNA Score 8.6
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
NVD
Windows Has Fix Added at: Dec 21, 2025
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-0932 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-0932 [HIGH] CVE-2026-0932 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0932 :
M-Files Server vulnerability analysis and mitigation
Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
Source : NVD
## 6.9
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity HIGH Has Fix Added at: Apr 02, 2026
Windows Severity HIGH Has Fix Added at:
Wiz
CVE-2025-14318 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-14318 [HIGH] CVE-2025-14318 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14318 :
M-Files Server vulnerability analysis and mitigation
Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.
Source : NVD
## 5.3
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity MEDIUM Has Fix Added at: Dec 21, 2025
Windows Severity MEDIUM Has Fix Added at: Jan 08, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-0663 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-0663 [HIGH] CVE-2026-0663 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0663 :
M-Files Server vulnerability analysis and mitigation
Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.
Source : NVD
## 6.9
Score
Published January 21, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity MEDIUM Has Fix Added at: Jan 22, 2026
Windows Severity MEDIUM Has Fix Added at: Feb 04, 2026
##
Wiz
CVE-2025-14267 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-14267 [HIGH] CVE-2025-14267 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14267 :
M-Files Server vulnerability analysis and mitigation
Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7
Source : NVD
## 5.6
Score
Published December 19, 2025
Severity MEDIUM
CNA Score 5.6
Affected Technologies
M-Files Server
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:m-files:m-files_server
Sources
Windows Severity MEDIUM Has Fix Added at: Dec 21, 2025
Windows Severity MEDIUM Has Fix Added at: Jan 08, 2026
## Get a CVE risk assessment
Get a priori
2026-04-01
Published