Claris Filemaker Server vulnerabilities
9 known vulnerabilities affecting claris/filemaker_server.
Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM7
Vulnerabilities
Page 1 of 1
CVE-2025-46295P2CRITICALCVSS 9.8fixed in 22.0.4≥ unspecified, < 22.0.42025-12-16
CVE-2025-46295 [CRITICAL] CWE-94 CVE-2025-46295: Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused wh
Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions like executing commands or accessing external resources, an attacker could potentially achieve remote code execution. This vulnera
nvd
CVE-2024-27790P3HIGHCVSS 7.5fixed in 20.3.2≥ unspecified, < 20.3.22024-05-14
CVE-2024-27790 [HIGH] CWE-284 CVE-2024-27790: Claris International has resolved an issue of potentially allowing unauthorized access to records st
Claris International has resolved an issue of potentially allowing unauthorized access to records stored in databases hosted on FileMaker Server. This issue has been fixed in FileMaker Server 20.3.2 by validating transactions before replying to client requests.
nvd
CVE-2025-46296P4MEDIUMCVSS 5.4fixed in 22.0.4≥ unspecified, < 22.0.42025-12-16
CVE-2025-46296 [MEDIUM] CWE-285 CVE-2025-46296: An authorization bypass vulnerability in FileMaker Server Admin Console allowed administrator roles
An authorization bypass vulnerability in FileMaker Server Admin Console allowed administrator roles with minimal privileges to access administrative features such as viewing license details and downloading application logs. This vulnerability has been fully addressed in FileMaker Server 22.0.4.
nvd
CVE-2025-46320P4MEDIUMCVSS 6.1fixed in 21.1.7≥ 22.0.1, < 22.0.4+2 more2026-02-24
CVE-2025-46320 [MEDIUM] CWE-79 CVE-2025-46320: A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to un
A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7.
nvd
CVE-2025-46294P4MEDIUMCVSS 5.3fixed in 22.0.4≥ unspecified, < 22.0.42025-12-16
CVE-2025-46294 [MEDIUM] CWE-200 CVE-2025-46294: To enhance security, the FileMaker Server 22.0.4 installer now includes an option to disable IIS sho
To enhance security, the FileMaker Server 22.0.4 installer now includes an option to disable IIS short filename enumeration by setting NtfsDisable8dot3NameCreation in the Windows registry. This prevents attackers from using the tilde character to discover hidden files and directories. This vulnerability has been fully addressed in FileMaker Server 2
nvd
CVE-2021-44147P4MEDIUMCVSS 5.5fixed in 19.4.12021-11-22
CVE-2021-44147 [MEDIUM] CWE-611 CVE-2021-44147: An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1
An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks.
nvd
CVE-2023-42954P4MEDIUMCVSS 4.9fixed in 20.3.1≥ unspecified, < 20.3.12024-03-21
CVE-2023-42954 [MEDIUM] CWE-250 CVE-2023-42954: A privilege escalation issue existed in FileMaker Server, potentially exposing sensitive information
A privilege escalation issue existed in FileMaker Server, potentially exposing sensitive information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by reducing the information sent in requests.
nvd
CVE-2024-27794P4MEDIUMCVSS 6.1fixed in 20.3.2≥ unspecified, < 20.3.22024-04-15
CVE-2024-27794 [MEDIUM] CWE-79 CVE-2024-27794: Claris FileMaker Server before version 20.3.2 was susceptible to a reflected Cross-Site Scripting vu
Claris FileMaker Server before version 20.3.2 was susceptible to a reflected Cross-Site Scripting vulnerability due to an improperly handled parameter in the FileMaker WebDirect login endpoint. The vulnerability was resolved in FileMaker Server 20.3.2 by escaping the HTML contents of the login error message on the login page.
nvd
CVE-2023-42955P4MEDIUMCVSS 4.9fixed in 20.3.1≥ unspecified, < 20.3.12024-05-14
CVE-2023-42955 [MEDIUM] CWE-522 CVE-2023-42955: Claris International has successfully resolved an issue of potentially exposing password information
Claris International has successfully resolved an issue of potentially exposing password information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by eliminating the send of Admin Role passwords in the Node.js socket.
nvd