Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    38 vulnerabilities found for M-Files Server by M-Files Corporation

    CVE-2026-0983 (GCVE-0-2026-0983)

    Vulnerability from nvd – Published: 2026-05-18 11:05 – Updated: 2026-05-18 12:40
    VLAI
    Title
    Denial of service vulnerability in M-Files Server
    Summary
    Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper validation of syntactic correctness of input
    References
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 26.5.16015.0 (custom)
    Affected: LTS 25.8.15085.13 , < LTS 25.8.15085.24 (custom)
    Affected: LTS 26.2.15718.8 , < LTS 26.2.15718.10 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0983",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-18T12:40:10.820876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-18T12:40:39.485Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "26.5.16015.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "LTS 25.8.15085.24",
                  "status": "affected",
                  "version": "LTS 25.8.15085.13",
                  "versionType": "custom"
                },
                {
                  "lessThan": "LTS 26.2.15718.10",
                  "status": "affected",
                  "version": "LTS 26.2.15718.8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.5.16015.0",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "lts_25.8.15085.24",
                      "versionStartIncluding": "lts_25.8.15085.13",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "lts_26.2.15718.10",
                      "versionStartIncluding": "lts_26.2.15718.8",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash"
                }
              ],
              "value": "Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-153 Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper validation of syntactic correctness of input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-18T11:05:29.691Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2026-0983"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Denial of service vulnerability in M-Files Server",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2026-0983",
        "datePublished": "2026-05-18T11:05:29.691Z",
        "dateReserved": "2026-01-15T10:18:50.486Z",
        "dateUpdated": "2026-05-18T12:40:39.485Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0932 (GCVE-0-2026-0932)

    Vulnerability from nvd – Published: 2026-04-01 10:03 – Updated: 2026-04-01 12:38
    VLAI
    Summary
    Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side request forgery (SSRF)
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 26.3.15818.5 (custom)
    Create a notification for this product.
    Credits
    Sina Kheirkhah (SinSinology) of watchTowr (watchTowrcyber)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0932",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-01T12:38:16.581528Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-01T12:38:30.875Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "26.3.15818.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (SinSinology) of watchTowr (watchTowrcyber)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003eBlind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.\u003c/span\u003e"
                }
              ],
              "value": "Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side request forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-01T10:04:00.283Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2026-0932"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2026-0932/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2026-0932",
        "datePublished": "2026-04-01T10:03:27.785Z",
        "dateReserved": "2026-01-14T07:38:43.377Z",
        "dateUpdated": "2026-04-01T12:38:30.875Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0663 (GCVE-0-2026-0663)

    Vulnerability from nvd – Published: 2026-01-21 10:29 – Updated: 2026-02-23 10:39
    VLAI
    Title
    Denial of Service condition in M-Files Server
    Summary
    Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 26.1.15632.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0663",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T14:26:36.756911Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T14:27:18.358Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "26.1.15632.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Denial-of-service vulnerability in M-Files Server versions before\u0026nbsp;26.1.15632.3\u0026nbsp;allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint."
                }
              ],
              "value": "Denial-of-service vulnerability in M-Files Server versions before\u00a026.1.15632.3\u00a0allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-153 Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:39:26.170Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2026-0663/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2026-0663"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update M-Files Server to unaffected version."
                }
              ],
              "value": "Update M-Files Server to unaffected version."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial of Service condition in M-Files Server",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2026-0663",
        "datePublished": "2026-01-21T10:29:57.786Z",
        "dateReserved": "2026-01-07T09:47:06.520Z",
        "dateUpdated": "2026-02-23T10:39:26.170Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14267 (GCVE-0-2025-14267)

    Vulnerability from nvd – Published: 2025-12-19 06:15 – Updated: 2026-02-23 10:35
    VLAI
    Title
    Unintended temporary cached data included in a structure only copy intended to be empty of data
    Summary
    Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.12.15491.7 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14267",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-19T15:39:44.479615Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-19T15:39:54.861Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.12.15491.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7"
                }
              ],
              "value": "Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-410",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-410 Information Elicitation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-212",
                  "description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:35:14.878Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-14267/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-14267"
            }
          ],
          "source": {
            "discovery": "USER"
          },
          "title": "Unintended temporary cached data included in a structure only copy intended to be empty of data",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-14267",
        "datePublished": "2025-12-19T06:15:09.580Z",
        "dateReserved": "2025-12-08T13:09:32.914Z",
        "dateUpdated": "2026-02-23T10:35:14.878Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13008 (GCVE-0-2025-13008)

    Vulnerability from nvd – Published: 2025-12-19 07:04 – Updated: 2026-02-23 10:34
    VLAI
    Title
    Session Token Disclosure in M-Files Web
    Summary
    An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.12.15491.7 (custom)
    Unaffected: 25.8.15085.18
    Unaffected: 25.2.14524.14
    Unaffected: 24.8.13981.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13008",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-19T15:15:43.880544Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-19T15:15:49.966Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.12.15491.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "25.8.15085.18"
                },
                {
                  "status": "unaffected",
                  "version": "25.2.14524.14"
                },
                {
                  "status": "unaffected",
                  "version": "24.8.13981.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "25.12.15491.7",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:25.8.15085.18:*:*:*:*:*:*:*",
                      "vulnerable": false
                    },
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:25.2.14524.14:*:*:*:*:*:*:*",
                      "vulnerable": false
                    },
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:24.8.13981.17:*:*:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.\u003cbr\u003e"
                }
              ],
              "value": "An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-60",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-60 Reusing Session IDs (aka Session Replay)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-359",
                  "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:34:29.942Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-13008"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-13008"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update M-Files Server to unaffected version."
                }
              ],
              "value": "Update M-Files Server to unaffected version."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Session Token Disclosure in M-Files Web",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-13008",
        "datePublished": "2025-12-19T07:04:19.709Z",
        "dateReserved": "2025-11-11T14:42:39.451Z",
        "dateUpdated": "2026-02-23T10:34:29.942Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14318 (GCVE-0-2025-14318)

    Vulnerability from nvd – Published: 2025-12-18 07:32 – Updated: 2026-02-23 10:35
    VLAI
    Title
    Improper access validation in M-Files Server
    Summary
    Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.12.15491.7 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14318",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-18T15:01:59.800067Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-18T15:02:15.225Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.12.15491.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.\u003cbr\u003e"
                }
              ],
              "value": "Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:35:59.056Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-14318/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-14318"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to the latest version.\u0026nbsp;"
                }
              ],
              "value": "Update to the latest version."
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Improper access validation in M-Files Server",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No workaround available on affected versions.\u003cbr\u003e"
                }
              ],
              "value": "No workaround available on affected versions."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-14318",
        "datePublished": "2025-12-18T07:32:34.230Z",
        "dateReserved": "2025-12-09T10:22:36.277Z",
        "dateUpdated": "2026-02-23T10:35:59.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11681 (GCVE-0-2025-11681)

    Vulnerability from nvd – Published: 2025-11-17 11:30 – Updated: 2026-02-23 10:33
    VLAI
    Title
    Denial of Service condition in M-Files Server
    Summary
    Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.11.15392.1 (custom)
    Unaffected: 25.2.14524.13
    Unaffected: 25.8.15085.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11681",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-17T14:35:26.225254Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-17T14:36:42.885Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.11.15392.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "25.2.14524.13"
                },
                {
                  "status": "unaffected",
                  "version": "25.8.15085.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-492",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-492 Regular Expression Exponential Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:33:40.472Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-11681/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-11681"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Denial of Service condition in M-Files Server",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No workaround available on affected versions.\u003cbr\u003e"
                }
              ],
              "value": "No workaround available on affected versions."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-11681",
        "datePublished": "2025-11-17T11:30:25.324Z",
        "dateReserved": "2025-10-13T10:29:59.870Z",
        "dateUpdated": "2026-02-23T10:33:40.472Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-5964 (GCVE-0-2025-5964)

    Vulnerability from nvd – Published: 2025-06-15 19:42 – Updated: 2026-02-23 10:29
    VLAI
    Title
    Path traversal in M-Files API
    Summary
    A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.6.14925.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-5964",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-16T13:46:19.248409Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-16T13:46:48.208Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.6.14925.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server."
                }
              ],
              "value": "A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/RE:M/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:29:03.940Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-5964"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-5964"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003eUpdate to the latest patched version.\u003c/div\u003e\u003c/div\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Update to the latest patched version."
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Path traversal in M-Files API",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-5964",
        "datePublished": "2025-06-15T19:42:24.617Z",
        "dateReserved": "2025-06-10T07:36:27.344Z",
        "dateUpdated": "2026-02-23T10:29:03.940Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-3086 (GCVE-0-2025-3086)

    Vulnerability from nvd – Published: 2025-04-04 06:37 – Updated: 2026-02-23 10:26
    VLAI
    Title
    User in anonymous role could create and delete views
    Summary
    Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.3.14549 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3086",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-04T13:24:14.425443Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-04T13:25:05.573Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.3.14549",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service"
                }
              ],
              "value": "Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-653",
                  "description": "CWE-653",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:26:58.607Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-3086/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-3086"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "User in anonymous role could create and delete views",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-3086",
        "datePublished": "2025-04-04T06:37:42.901Z",
        "dateReserved": "2025-04-01T11:18:33.242Z",
        "dateUpdated": "2026-02-23T10:26:58.607Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0648 (GCVE-0-2025-0648)

    Vulnerability from nvd – Published: 2025-01-23 11:06 – Updated: 2026-02-23 10:24
    VLAI
    Title
    M-Files Server crash via EOT database driver configuration
    Summary
    Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3 allows a highly privileged attacker to cause denial of service via configuration change.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.1.14445.5 (custom)
    Unaffected: 24.8.13981.14 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0648",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T14:11:06.426320Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:24.628Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.1.14445.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "24.8.13981.14",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3  allows a highly privileged attacker to cause denial of service via configuration change."
                }
              ],
              "value": "Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3  allows a highly privileged attacker to cause denial of service via configuration change."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-137",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-137 Parameter Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-248",
                  "description": "CWE-248 Uncaught Exception",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:24:49.952Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-0648/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-0648"
            }
          ],
          "source": {
            "discovery": "USER"
          },
          "title": "M-Files Server crash via EOT database driver configuration",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-0648",
        "datePublished": "2025-01-23T11:06:19.319Z",
        "dateReserved": "2025-01-22T14:47:55.988Z",
        "dateUpdated": "2026-02-23T10:24:49.952Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0635 (GCVE-0-2025-0635)

    Vulnerability from nvd – Published: 2025-01-23 11:07 – Updated: 2026-02-23 10:23
    VLAI
    Title
    Denial of Service condition in M-Files Server
    Summary
    Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.1.14445.5 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0635",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T14:10:35.470065Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:24.321Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.1.14445.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(242, 244, 249);\"\u003eDenial of service condition in M-Files Server in versions before \n\n25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.\u003c/span\u003e"
                }
              ],
              "value": "Denial of service condition in M-Files Server in versions before \n\n25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-229",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-229 Serialized Data Parameter Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:23:57.202Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-0635/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-0635"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Denial of Service condition in M-Files Server",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-0635",
        "datePublished": "2025-01-23T11:07:51.496Z",
        "dateReserved": "2025-01-22T08:51:14.145Z",
        "dateUpdated": "2026-02-23T10:23:57.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0619 (GCVE-0-2025-0619)

    Vulnerability from nvd – Published: 2025-01-23 11:07 – Updated: 2026-02-23 10:23
    VLAI
    Title
    Unsafe stored password recovery
    Summary
    Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.1.14445.5 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0619",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T14:10:53.031754Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:24.465Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.1.14445.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-212",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-212 Functionality Misuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:23:24.587Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-0619/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-0619"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unsafe stored password recovery",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-0619",
        "datePublished": "2025-01-23T11:07:10.295Z",
        "dateReserved": "2025-01-21T14:07:32.386Z",
        "dateUpdated": "2026-02-23T10:23:24.587Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10127 (GCVE-0-2024-10127)

    Vulnerability from nvd – Published: 2024-11-20 08:36 – Updated: 2026-02-23 10:21
    VLAI
    Title
    Support for authentication bypass condition in M-Files LDAP authentication
    Summary
    Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-303 - Incorrect Implementation of Authentication Algorithm
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 24.11 (semver)
    Unaffected: 0 , < 24.8 LTS SR2 (custom)
    Create a notification for this product.
    m-files m-files Affected: 0 , < 24.11 (semver)
        cpe:2.3:a:m-files:m-files:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:m-files:m-files:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "m-files",
                "vendor": "m-files",
                "versions": [
                  {
                    "lessThan": "24.11",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10127",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-20T20:20:29.147851Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-21T14:40:27.028Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "24.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "24.8 LTS SR2",
                  "status": "unaffected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration."
                }
              ],
              "value": "Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-114",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-114 Authentication Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-303",
                  "description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:21:16.507Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/CVE-2024-10127"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2024-10127"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to patched version\n\n\u003cbr\u003e"
                }
              ],
              "value": "Update to patched version"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Support for authentication bypass condition in M-Files LDAP authentication",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2024-10127",
        "datePublished": "2024-11-20T08:36:03.443Z",
        "dateReserved": "2024-10-18T13:26:52.758Z",
        "dateUpdated": "2026-02-23T10:21:16.507Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6789 (GCVE-0-2024-6789)

    Vulnerability from nvd – Published: 2024-08-27 09:57 – Updated: 2026-02-23 10:17
    VLAI
    Title
    Path traversal in M-Files API
    Summary
    A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 24.8.13981.0 (semver)
    Affected: LTS 24.2.0 , < LTS 24.2.13421.15 SR2 (custom)
    Affected: LTS 23.8.0 , < LTS 23.8.12892.0 SR6 (custom)
    Create a notification for this product.
    Date Public
    2024-08-27 06:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6789",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-27T13:13:31.263628Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-27T13:13:43.057Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "24.8.13981.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "LTS 24.2.13421.15 SR2",
                  "status": "affected",
                  "version": "LTS 24.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "LTS 23.8.12892.0 SR6",
                  "status": "affected",
                  "version": "LTS 23.8.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-08-27T06:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and\u0026nbsp;LTS 24.2.13421.15 SR2 and\u0026nbsp;LTS 23.8.12892.0 SR6 allows authenticated user to read files"
                }
              ],
              "value": "A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and\u00a0LTS 24.2.13421.15 SR2 and\u00a0LTS 23.8.12892.0 SR6 allows authenticated user to read files"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/RE:M/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:17:03.748Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2024-6789/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2024-6789"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to patched version"
                }
              ],
              "value": "Update to patched version"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Path traversal in M-Files API",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2024-6789",
        "datePublished": "2024-08-27T09:57:00.441Z",
        "dateReserved": "2024-07-16T12:19:08.442Z",
        "dateUpdated": "2026-02-23T10:17:03.748Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4056 (GCVE-0-2024-4056)

    Vulnerability from nvd – Published: 2024-04-26 06:02 – Updated: 2026-02-23 10:10
    VLAI
    Title
    Denial of service condition in M-Files Server
    Summary
    Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 23.11 , < 24.4.13592.4 (custom)
    Unaffected: 24.2 LTS
    Create a notification for this product.
    m-files m-files_server Affected: *
        cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*
    Create a notification for this product.
    m-files m-files_server Affected: -
        cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*
    Create a notification for this product.
    m-files m-files_server Unknown: 24.2 LTS
        cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-04-29 11:05
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "m-files_server",
                "vendor": "m-files",
                "versions": [
                  {
                    "status": "affected",
                    "version": "*"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "m-files_server",
                "vendor": "m-files",
                "versions": [
                  {
                    "status": "affected",
                    "version": "-"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "m-files_server",
                "vendor": "m-files",
                "versions": [
                  {
                    "status": "unknown",
                    "version": "24.2 LTS"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4056",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-26T19:19:39.222407Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:56:32.437Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:26:57.309Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-4056/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "24.4.13592.4",
                  "status": "affected",
                  "version": "23.11",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "24.2 LTS"
                }
              ]
            }
          ],
          "datePublic": "2024-04-29T11:05:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eDenial of service condition in M-Files Server in versions before 24.4.13592.4\u0026nbsp;and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.\u003c/span\u003e"
                }
              ],
              "value": "Denial of service condition in M-Files Server in versions before 24.4.13592.4\u00a0and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-492",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-492 Regular Expression Exponential Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:10:50.553Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2024-4056/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2024-4056"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Denial of service condition in M-Files Server",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No workaround available on affected versions."
                }
              ],
              "value": "No workaround available on affected versions."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2024-4056",
        "datePublished": "2024-04-26T06:02:21.917Z",
        "dateReserved": "2024-04-23T08:17:04.443Z",
        "dateUpdated": "2026-02-23T10:10:50.553Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0983 (GCVE-0-2026-0983)

    Vulnerability from cvelistv5 – Published: 2026-05-18 11:05 – Updated: 2026-05-18 12:40
    VLAI
    Title
    Denial of service vulnerability in M-Files Server
    Summary
    Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper validation of syntactic correctness of input
    References
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 26.5.16015.0 (custom)
    Affected: LTS 25.8.15085.13 , < LTS 25.8.15085.24 (custom)
    Affected: LTS 26.2.15718.8 , < LTS 26.2.15718.10 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0983",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-18T12:40:10.820876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-18T12:40:39.485Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "26.5.16015.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "LTS 25.8.15085.24",
                  "status": "affected",
                  "version": "LTS 25.8.15085.13",
                  "versionType": "custom"
                },
                {
                  "lessThan": "LTS 26.2.15718.10",
                  "status": "affected",
                  "version": "LTS 26.2.15718.8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "26.5.16015.0",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "lts_25.8.15085.24",
                      "versionStartIncluding": "lts_25.8.15085.13",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "lts_26.2.15718.10",
                      "versionStartIncluding": "lts_26.2.15718.8",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash"
                }
              ],
              "value": "Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-153 Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper validation of syntactic correctness of input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-18T11:05:29.691Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2026-0983"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Denial of service vulnerability in M-Files Server",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2026-0983",
        "datePublished": "2026-05-18T11:05:29.691Z",
        "dateReserved": "2026-01-15T10:18:50.486Z",
        "dateUpdated": "2026-05-18T12:40:39.485Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0932 (GCVE-0-2026-0932)

    Vulnerability from cvelistv5 – Published: 2026-04-01 10:03 – Updated: 2026-04-01 12:38
    VLAI
    Summary
    Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side request forgery (SSRF)
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 26.3.15818.5 (custom)
    Create a notification for this product.
    Credits
    Sina Kheirkhah (SinSinology) of watchTowr (watchTowrcyber)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0932",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-01T12:38:16.581528Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-01T12:38:30.875Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "26.3.15818.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sina Kheirkhah (SinSinology) of watchTowr (watchTowrcyber)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan\u003eBlind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.\u003c/span\u003e"
                }
              ],
              "value": "Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-664",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-664 Server Side Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side request forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-01T10:04:00.283Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2026-0932"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2026-0932/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2026-0932",
        "datePublished": "2026-04-01T10:03:27.785Z",
        "dateReserved": "2026-01-14T07:38:43.377Z",
        "dateUpdated": "2026-04-01T12:38:30.875Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0663 (GCVE-0-2026-0663)

    Vulnerability from cvelistv5 – Published: 2026-01-21 10:29 – Updated: 2026-02-23 10:39
    VLAI
    Title
    Denial of Service condition in M-Files Server
    Summary
    Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 26.1.15632.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0663",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T14:26:36.756911Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T14:27:18.358Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "26.1.15632.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Denial-of-service vulnerability in M-Files Server versions before\u0026nbsp;26.1.15632.3\u0026nbsp;allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint."
                }
              ],
              "value": "Denial-of-service vulnerability in M-Files Server versions before\u00a026.1.15632.3\u00a0allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-153 Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286 Improper Validation of Syntactic Correctness of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:39:26.170Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2026-0663/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2026-0663"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update M-Files Server to unaffected version."
                }
              ],
              "value": "Update M-Files Server to unaffected version."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial of Service condition in M-Files Server",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2026-0663",
        "datePublished": "2026-01-21T10:29:57.786Z",
        "dateReserved": "2026-01-07T09:47:06.520Z",
        "dateUpdated": "2026-02-23T10:39:26.170Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13008 (GCVE-0-2025-13008)

    Vulnerability from cvelistv5 – Published: 2025-12-19 07:04 – Updated: 2026-02-23 10:34
    VLAI
    Title
    Session Token Disclosure in M-Files Web
    Summary
    An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.12.15491.7 (custom)
    Unaffected: 25.8.15085.18
    Unaffected: 25.2.14524.14
    Unaffected: 24.8.13981.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13008",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-19T15:15:43.880544Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-19T15:15:49.966Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.12.15491.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "25.8.15085.18"
                },
                {
                  "status": "unaffected",
                  "version": "25.2.14524.14"
                },
                {
                  "status": "unaffected",
                  "version": "24.8.13981.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "25.12.15491.7",
                      "versionStartIncluding": "0",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:25.8.15085.18:*:*:*:*:*:*:*",
                      "vulnerable": false
                    },
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:25.2.14524.14:*:*:*:*:*:*:*",
                      "vulnerable": false
                    },
                    {
                      "criteria": "cpe:2.3:a:m-files_corporation:m-files_server:24.8.13981.17:*:*:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.\u003cbr\u003e"
                }
              ],
              "value": "An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-60",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-60 Reusing Session IDs (aka Session Replay)"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-359",
                  "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:34:29.942Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-13008"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-13008"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update M-Files Server to unaffected version."
                }
              ],
              "value": "Update M-Files Server to unaffected version."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Session Token Disclosure in M-Files Web",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-13008",
        "datePublished": "2025-12-19T07:04:19.709Z",
        "dateReserved": "2025-11-11T14:42:39.451Z",
        "dateUpdated": "2026-02-23T10:34:29.942Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14267 (GCVE-0-2025-14267)

    Vulnerability from cvelistv5 – Published: 2025-12-19 06:15 – Updated: 2026-02-23 10:35
    VLAI
    Title
    Unintended temporary cached data included in a structure only copy intended to be empty of data
    Summary
    Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.12.15491.7 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14267",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-19T15:39:44.479615Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-19T15:39:54.861Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.12.15491.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7"
                }
              ],
              "value": "Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-410",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-410 Information Elicitation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-212",
                  "description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:35:14.878Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-14267/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-14267"
            }
          ],
          "source": {
            "discovery": "USER"
          },
          "title": "Unintended temporary cached data included in a structure only copy intended to be empty of data",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-14267",
        "datePublished": "2025-12-19T06:15:09.580Z",
        "dateReserved": "2025-12-08T13:09:32.914Z",
        "dateUpdated": "2026-02-23T10:35:14.878Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-14318 (GCVE-0-2025-14318)

    Vulnerability from cvelistv5 – Published: 2025-12-18 07:32 – Updated: 2026-02-23 10:35
    VLAI
    Title
    Improper access validation in M-Files Server
    Summary
    Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.12.15491.7 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14318",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-18T15:01:59.800067Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-18T15:02:15.225Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.12.15491.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled.\u003cbr\u003e"
                }
              ],
              "value": "Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:35:59.056Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-14318/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-14318"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to the latest version.\u0026nbsp;"
                }
              ],
              "value": "Update to the latest version."
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Improper access validation in M-Files Server",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No workaround available on affected versions.\u003cbr\u003e"
                }
              ],
              "value": "No workaround available on affected versions."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-14318",
        "datePublished": "2025-12-18T07:32:34.230Z",
        "dateReserved": "2025-12-09T10:22:36.277Z",
        "dateUpdated": "2026-02-23T10:35:59.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11681 (GCVE-0-2025-11681)

    Vulnerability from cvelistv5 – Published: 2025-11-17 11:30 – Updated: 2026-02-23 10:33
    VLAI
    Title
    Denial of Service condition in M-Files Server
    Summary
    Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.11.15392.1 (custom)
    Unaffected: 25.2.14524.13
    Unaffected: 25.8.15085.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11681",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-17T14:35:26.225254Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-17T14:36:42.885Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.11.15392.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "25.2.14524.13"
                },
                {
                  "status": "unaffected",
                  "version": "25.8.15085.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash.\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-492",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-492 Regular Expression Exponential Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400 Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:33:40.472Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-11681/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-11681"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Denial of Service condition in M-Files Server",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No workaround available on affected versions.\u003cbr\u003e"
                }
              ],
              "value": "No workaround available on affected versions."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-11681",
        "datePublished": "2025-11-17T11:30:25.324Z",
        "dateReserved": "2025-10-13T10:29:59.870Z",
        "dateUpdated": "2026-02-23T10:33:40.472Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-5964 (GCVE-0-2025-5964)

    Vulnerability from cvelistv5 – Published: 2025-06-15 19:42 – Updated: 2026-02-23 10:29
    VLAI
    Title
    Path traversal in M-Files API
    Summary
    A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.6.14925.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-5964",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-16T13:46:19.248409Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-16T13:46:48.208Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.6.14925.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server."
                }
              ],
              "value": "A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/RE:M/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:29:03.940Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-5964"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-5964"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\u003cdiv\u003eUpdate to the latest patched version.\u003c/div\u003e\u003c/div\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Update to the latest patched version."
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Path traversal in M-Files API",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-5964",
        "datePublished": "2025-06-15T19:42:24.617Z",
        "dateReserved": "2025-06-10T07:36:27.344Z",
        "dateUpdated": "2026-02-23T10:29:03.940Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-3086 (GCVE-0-2025-3086)

    Vulnerability from cvelistv5 – Published: 2025-04-04 06:37 – Updated: 2026-02-23 10:26
    VLAI
    Title
    User in anonymous role could create and delete views
    Summary
    Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.3.14549 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3086",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-04T13:24:14.425443Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-04T13:25:05.573Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.3.14549",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service"
                }
              ],
              "value": "Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-130",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-130 Excessive Allocation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-653",
                  "description": "CWE-653",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:26:58.607Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-3086/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-3086"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "User in anonymous role could create and delete views",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-3086",
        "datePublished": "2025-04-04T06:37:42.901Z",
        "dateReserved": "2025-04-01T11:18:33.242Z",
        "dateUpdated": "2026-02-23T10:26:58.607Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0635 (GCVE-0-2025-0635)

    Vulnerability from cvelistv5 – Published: 2025-01-23 11:07 – Updated: 2026-02-23 10:23
    VLAI
    Title
    Denial of Service condition in M-Files Server
    Summary
    Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.1.14445.5 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0635",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T14:10:35.470065Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:24.321Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.1.14445.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(242, 244, 249);\"\u003eDenial of service condition in M-Files Server in versions before \n\n25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.\u003c/span\u003e"
                }
              ],
              "value": "Denial of service condition in M-Files Server in versions before \n\n25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-229",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-229 Serialized Data Parameter Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:23:57.202Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-0635/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-0635"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Denial of Service condition in M-Files Server",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-0635",
        "datePublished": "2025-01-23T11:07:51.496Z",
        "dateReserved": "2025-01-22T08:51:14.145Z",
        "dateUpdated": "2026-02-23T10:23:57.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0619 (GCVE-0-2025-0619)

    Vulnerability from cvelistv5 – Published: 2025-01-23 11:07 – Updated: 2026-02-23 10:23
    VLAI
    Title
    Unsafe stored password recovery
    Summary
    Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.1.14445.5 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0619",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T14:10:53.031754Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:24.465Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.1.14445.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-212",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-212 Functionality Misuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:23:24.587Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-0619/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-0619"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Unsafe stored password recovery",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-0619",
        "datePublished": "2025-01-23T11:07:10.295Z",
        "dateReserved": "2025-01-21T14:07:32.386Z",
        "dateUpdated": "2026-02-23T10:23:24.587Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0648 (GCVE-0-2025-0648)

    Vulnerability from cvelistv5 – Published: 2025-01-23 11:06 – Updated: 2026-02-23 10:24
    VLAI
    Title
    M-Files Server crash via EOT database driver configuration
    Summary
    Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3 allows a highly privileged attacker to cause denial of service via configuration change.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 25.1.14445.5 (custom)
    Unaffected: 24.8.13981.14 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0648",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T14:11:06.426320Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:24.628Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "25.1.14445.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "24.8.13981.14",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3  allows a highly privileged attacker to cause denial of service via configuration change."
                }
              ],
              "value": "Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3  allows a highly privileged attacker to cause denial of service via configuration change."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-137",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-137 Parameter Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-248",
                  "description": "CWE-248 Uncaught Exception",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:24:49.952Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2025-0648/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2025-0648"
            }
          ],
          "source": {
            "discovery": "USER"
          },
          "title": "M-Files Server crash via EOT database driver configuration",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2025-0648",
        "datePublished": "2025-01-23T11:06:19.319Z",
        "dateReserved": "2025-01-22T14:47:55.988Z",
        "dateUpdated": "2026-02-23T10:24:49.952Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10127 (GCVE-0-2024-10127)

    Vulnerability from cvelistv5 – Published: 2024-11-20 08:36 – Updated: 2026-02-23 10:21
    VLAI
    Title
    Support for authentication bypass condition in M-Files LDAP authentication
    Summary
    Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-303 - Incorrect Implementation of Authentication Algorithm
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 24.11 (semver)
    Unaffected: 0 , < 24.8 LTS SR2 (custom)
    Create a notification for this product.
    m-files m-files Affected: 0 , < 24.11 (semver)
        cpe:2.3:a:m-files:m-files:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:m-files:m-files:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "m-files",
                "vendor": "m-files",
                "versions": [
                  {
                    "lessThan": "24.11",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10127",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-20T20:20:29.147851Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-21T14:40:27.028Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "24.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "24.8 LTS SR2",
                  "status": "unaffected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration."
                }
              ],
              "value": "Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-114",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-114 Authentication Abuse"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-303",
                  "description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:21:16.507Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/CVE-2024-10127"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2024-10127"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to patched version\n\n\u003cbr\u003e"
                }
              ],
              "value": "Update to patched version"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Support for authentication bypass condition in M-Files LDAP authentication",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2024-10127",
        "datePublished": "2024-11-20T08:36:03.443Z",
        "dateReserved": "2024-10-18T13:26:52.758Z",
        "dateUpdated": "2026-02-23T10:21:16.507Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-6789 (GCVE-0-2024-6789)

    Vulnerability from cvelistv5 – Published: 2024-08-27 09:57 – Updated: 2026-02-23 10:17
    VLAI
    Title
    Path traversal in M-Files API
    Summary
    A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 0 , < 24.8.13981.0 (semver)
    Affected: LTS 24.2.0 , < LTS 24.2.13421.15 SR2 (custom)
    Affected: LTS 23.8.0 , < LTS 23.8.12892.0 SR6 (custom)
    Create a notification for this product.
    Date Public
    2024-08-27 06:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6789",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-27T13:13:31.263628Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-27T13:13:43.057Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "24.8.13981.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "LTS 24.2.13421.15 SR2",
                  "status": "affected",
                  "version": "LTS 24.2.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "LTS 23.8.12892.0 SR6",
                  "status": "affected",
                  "version": "LTS 23.8.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2024-08-27T06:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and\u0026nbsp;LTS 24.2.13421.15 SR2 and\u0026nbsp;LTS 23.8.12892.0 SR6 allows authenticated user to read files"
                }
              ],
              "value": "A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and\u00a0LTS 24.2.13421.15 SR2 and\u00a0LTS 23.8.12892.0 SR6 allows authenticated user to read files"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "GREEN",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/RE:M/U:Green",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "MODERATE"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:17:03.748Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2024-6789/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2024-6789"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to patched version"
                }
              ],
              "value": "Update to patched version"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Path traversal in M-Files API",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2024-6789",
        "datePublished": "2024-08-27T09:57:00.441Z",
        "dateReserved": "2024-07-16T12:19:08.442Z",
        "dateUpdated": "2026-02-23T10:17:03.748Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4056 (GCVE-0-2024-4056)

    Vulnerability from cvelistv5 – Published: 2024-04-26 06:02 – Updated: 2026-02-23 10:10
    VLAI
    Title
    Denial of service condition in M-Files Server
    Summary
    Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Impacted products
    Vendor Product Version
    M-Files Corporation M-Files Server Affected: 23.11 , < 24.4.13592.4 (custom)
    Unaffected: 24.2 LTS
    Create a notification for this product.
    m-files m-files_server Affected: *
        cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*
    Create a notification for this product.
    m-files m-files_server Affected: -
        cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*
    Create a notification for this product.
    m-files m-files_server Unknown: 24.2 LTS
        cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-04-29 11:05
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "m-files_server",
                "vendor": "m-files",
                "versions": [
                  {
                    "status": "affected",
                    "version": "*"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "m-files_server",
                "vendor": "m-files",
                "versions": [
                  {
                    "status": "affected",
                    "version": "-"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "m-files_server",
                "vendor": "m-files",
                "versions": [
                  {
                    "status": "unknown",
                    "version": "24.2 LTS"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4056",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-26T19:19:39.222407Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:56:32.437Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:26:57.309Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-4056/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files Corporation",
              "versions": [
                {
                  "lessThan": "24.4.13592.4",
                  "status": "affected",
                  "version": "23.11",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "24.2 LTS"
                }
              ]
            }
          ],
          "datePublic": "2024-04-29T11:05:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eDenial of service condition in M-Files Server in versions before 24.4.13592.4\u0026nbsp;and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.\u003c/span\u003e"
                }
              ],
              "value": "Denial of service condition in M-Files Server in versions before 24.4.13592.4\u00a0and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-492",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-492 Regular Expression Exponential Blowup"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T10:10:50.553Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2024-4056/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2024-4056"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Denial of service condition in M-Files Server",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No workaround available on affected versions."
                }
              ],
              "value": "No workaround available on affected versions."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2024-4056",
        "datePublished": "2024-04-26T06:02:21.917Z",
        "dateReserved": "2024-04-23T08:17:04.443Z",
        "dateUpdated": "2026-02-23T10:10:50.553Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }