Papercut Mf vulnerabilities
29 known vulnerabilities affecting papercut/papercut_mf.
Total CVEs
29
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
4
Severity breakdown
CRITICAL5HIGH12MEDIUM11LOW1
Vulnerabilities
Page 2 of 2
CVE-2026-6418P4MEDIUMCVSS 4.9fixed in 25.0.112026-05-05
CVE-2026-6418 [MEDIUM] CWE-36 CVE-2026-6418: An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0
An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization.
Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file path
nvd
CVE-2014-2657P4HIGHCVSS 7.5v14.12014-04-28
CVE-2014-2657 [HIGH] CVE-2014-2657: Unspecified vulnerability in the print release functionality in PaperCut MF before 14.1 (Build 26983
Unspecified vulnerability in the print release functionality in PaperCut MF before 14.1 (Build 26983) has unknown impact and remote vectors, related to embedded MFPs.
nvd
CVE-2014-2659P4MEDIUMCVSS 6.8≤ 14.1v12.0+12 more2014-04-22
CVE-2014-2659 [MEDIUM] CWE-352 CVE-2014-2659: Cross-site request forgery (CSRF) vulnerability in the admin UI in Papercut MF and NG before 14.1 (B
Cross-site request forgery (CSRF) vulnerability in the admin UI in Papercut MF and NG before 14.1 (Build 26983) allows remote attackers to hijack the authentication of administrators via unspecified vectors.
nvd
CVE-2024-8405P4MEDIUMCVSS 5.5fixed in 23.0.92024-09-26
CVE-2024-8405 [MEDIUM] CVE-2024-8405: An arbitrary file creation vulnerability exists in PaperCut NG/MF that only affects Windows servers
An arbitrary file creation vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This specific flaw exists within the web-print.exe process, which can incorrectly create files that don’t exist when a maliciously formed payload is provided. This can be used to flood disk space and result in a Denial of Service (DoS) at
nvd
CVE-2024-9672P4MEDIUMCVSS 5.4fixed in 24.1.1fixed in 24.12024-12-10
CVE-2024-9672 [MEDIUM] CWE-917 CVE-2024-9672: A reflected cross-site scripting (XSS) vulnerability exists in PaperCut NG/MF. This issue can be use
A reflected cross-site scripting (XSS) vulnerability exists in PaperCut NG/MF. This issue can be used to execute specially created JavaScript payloads in the browser. A user must click on a malicious link for this issue to occur.
nvd
CVE-2024-1223P4MEDIUMCVSS 4.8fixed in 20.1.10≥ 21.0.0, < 21.2.14+2 more2024-03-14
CVE-2024-1223 [MEDIUM] CWE-488 CVE-2024-1223: This vulnerability potentially allows unauthorized enumeration of information from the embedded devi
This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have existing knowledge of some combination of valid usernames, device names and an internal system key. For such an attack to be successful the system must be in a specific runtime state.
nvd
CVE-2026-4794P4MEDIUMCVSS 4.8fixed in 25.0.102026-03-31
CVE-2026-4794 [MEDIUM] CWE-79 CVE-2026-4794: Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authentic
Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires a
nvd
CVE-2014-2658P4MEDIUMCVSS 5.0≤ 14.1v12.0+12 more2014-04-28
CVE-2014-2658 [MEDIUM] CVE-2014-2658: Unspecified vulnerability in Papercut MF and NG before 14.1 (Build 26983) allows attacker to cause a
Unspecified vulnerability in Papercut MF and NG before 14.1 (Build 26983) allows attacker to cause a denial of service via unknown vectors.
nvd
CVE-2024-1221P4LOWCVSS 3.1fixed in 20.1.10≥ 21.0.0, < 21.2.14+2 more2024-03-14
CVE-2024-1221 [LOW] CWE-76 CVE-2024-1221: This vulnerability potentially allows files on a PaperCut NG/MF server to be exposed using a specifi
This vulnerability potentially allows files on a PaperCut NG/MF server to be exposed using a specifically formed payload against the impacted API endpoint. The attacker must carry out some reconnaissance to gain knowledge of a system token. This CVE only affects Linux and macOS PaperCut NG/MF servers.
nvd
← Previous2 / 2