M-Files Corporation M-Files Server vulnerabilities
20 known vulnerabilities affecting m-files_corporation/m-files_server.
Total CVEs
20
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH6MEDIUM12
Vulnerabilities
Page 1 of 1
CVE-2024-10127P2CRITICALCVSS 9.8fixed in 24.112024-11-20
CVE-2024-10127 [CRITICAL] CWE-303 CVE-2024-10127: Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 suppo
Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.
nvd
CVE-2023-6912P3CRITICALCVSS 9.8fixed in 23.12.13205.02023-12-20
CVE-2023-6912 [CRITICAL] CWE-307 CVE-2023-6912: Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an atta
Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.
nvd
CVE-2025-5964P3MEDIUMCVSS 6.5fixed in 25.6.14925.02025-06-15
CVE-2025-5964 [MEDIUM] CWE-22 CVE-2025-5964: A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an a
A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server.
nvd
CVE-2026-0932P3HIGHCVSS 7.3fixed in 26.3.15818.52026-04-01
CVE-2026-0932 [HIGH] CWE-918 CVE-2026-0932: Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-a
Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
nvd
CVE-2025-13008P3HIGHCVSS 8.6fixed in 25.12.15491.72025-12-19
CVE-2025-13008 [HIGH] CWE-359 CVE-2025-13008: An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
nvd
CVE-2024-4056P3HIGHCVSS 7.5≥ 23.11, < 24.4.13592.42024-04-26
CVE-2024-4056 [HIGH] CWE-1333 CVE-2024-4056: Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (exclu
Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.
nvd
CVE-2025-0635P3HIGHCVSS 7.5fixed in 25.1.14445.52025-01-23
CVE-2025-0635 [HIGH] CWE-770 CVE-2025-0635: Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenti
Denial of service condition in M-Files Server in versions before
25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.
nvd
CVE-2024-6789P3MEDIUMCVSS 6.5fixed in 24.8.13981.0≥ LTS 24.2.0, < LTS 24.2.13421.15 SR2+1 more2024-08-27
CVE-2024-6789 [MEDIUM] CWE-22 CVE-2024-6789: A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13
A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files
nvd
CVE-2023-6910P3MEDIUMCVSS 6.5fixed in 23.12.13195.02023-12-20
CVE-2023-6910 [MEDIUM] CWE-770 CVE-2023-6910: A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource cons
A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests.
nvd
CVE-2026-0983P4HIGHCVSS 7.1fixed in 26.5.16015.0≥ LTS 25.8.15085.13, < LTS 25.8.15085.24+1 more2026-05-18
CVE-2026-0983 [HIGH] CWE-1286 CVE-2026-0983: Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and bef
Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash
nvd
CVE-2025-11681P4MEDIUMCVSS 6.5fixed in 25.11.15392.12025-11-17
CVE-2025-11681 [MEDIUM] CWE-400 CVE-2025-11681: Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and
Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash.
nvd
CVE-2025-3086P4HIGHCVSS 7.1fixed in 25.3.145492025-04-04
CVE-2025-3086 [HIGH] CWE-653 CVE-2025-3086: Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to aff
Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service
nvd
CVE-2024-0563P4MEDIUMCVSS 6.5fixed in 24.22024-02-23
CVE-2024-0563 [MEDIUM] CWE-770 CVE-2024-0563: Denial of service condition in M-Files Server in versions before 24.2 (excluding 23.2 SR7 and 23.8 S
Denial of service condition in M-Files Server in versions before 24.2 (excluding 23.2 SR7 and 23.8 SR5) allows anonymous user to cause denial of service against other anonymous users.
nvd
CVE-2025-14267P4MEDIUMCVSS 4.9fixed in 25.12.15491.72025-12-19
CVE-2025-14267 [MEDIUM] CWE-212 CVE-2025-14267: Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-F
Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7
nvd
CVE-2025-0619P4MEDIUMCVSS 4.9fixed in 25.1.14445.52025-01-23
CVE-2025-0619 [MEDIUM] CWE-522 CVE-2025-0619: Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged
Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords
nvd
CVE-2025-14318P4MEDIUMCVSS 4.3fixed in 25.12.15491.72025-12-18
CVE-2025-14318 [MEDIUM] CWE-863 CVE-2025-14318: Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through
Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.
nvd
CVE-2026-0663P4MEDIUMCVSS 4.9fixed in 26.1.15632.32026-01-21
CVE-2026-0663 [MEDIUM] CWE-1286 CVE-2026-0663: Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticat
Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.
nvd
CVE-2021-41810P4MEDIUMCVSS 4.8≥ M-Files Server, < 22.2.11051.02022-05-02
CVE-2021-41810 [MEDIUM] CWE-79 CVE-2021-41810: Script injection in M-Files Admin versions before 22.2.11051.0, allows executing stored script in ad
Script injection in M-Files Admin versions before 22.2.11051.0, allows executing stored script in admin tool. M-Files Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable
nvd
CVE-2025-0648P4MEDIUMCVSS 4.9fixed in 25.1.14445.52025-01-23
CVE-2025-0648 [MEDIUM] CWE-248 CVE-2025-0648: Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS
Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3 allows a highly privileged attacker to cause denial of service via configuration change.
nvd
CVE-2024-10126P4MEDIUMCVSS 4.3fixed in 24.112024-11-20
CVE-2024-10126 [MEDIUM] CWE-552 CVE-2024-10126: Local File Inclusion vulnerability in M-Files Server in versions before 24.11 (excluding 24.8 SR1, 2
Local File Inclusion vulnerability in M-Files Server in versions before 24.11 (excluding 24.8 SR1, 24.2 SR3 and 23.8 SR7) allows an authenticated user to read server local files of a limited set of filetypes via document preview.
nvd