Search criteria
10 vulnerabilities found for element-web by element-hq
CVE-2025-59161 (GCVE-0-2025-59161)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:44 – Updated: 2025-09-16 18:26
VLAI?
Summary
Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room's entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker's room and restoring the original room.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
< 1.11.112
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T17:29:24.810855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T18:26:26.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.112"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room\u0027s entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker\u0027s room and restoring the original room."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:44:15.660Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-m6c8-98f4-75rr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-m6c8-98f4-75rr"
},
{
"name": "https://github.com/element-hq/element-web/commit/8e9a43d70c90e6a3b110cd0a377296079e4c81f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/8e9a43d70c90e6a3b110cd0a377296079e4c81f5"
}
],
"source": {
"advisory": "GHSA-m6c8-98f4-75rr",
"discovery": "UNKNOWN"
},
"title": "In Element Web and Element Desktop, a malicious room can hide an unrelated room and cause it to be left when the malicious room is left"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59161",
"datePublished": "2025-09-16T16:44:15.660Z",
"dateReserved": "2025-09-09T15:23:16.327Z",
"dateUpdated": "2025-09-16T18:26:26.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32026 (GCVE-0-2025-32026)
Vulnerability from cvelistv5 – Published: 2025-04-08 15:22 – Updated: 2025-04-08 20:02
VLAI?
Summary
Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem.
Severity ?
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
>= 1.11.16, < 1.11.97
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T20:02:07.589546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T20:02:20.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11.16, \u003c 1.11.97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T15:22:54.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79"
}
],
"source": {
"advisory": "GHSA-69q3-jg79-cg79",
"discovery": "UNKNOWN"
},
"title": "Element Web could load a malicious instance of Element Call leaking media encryption keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32026",
"datePublished": "2025-04-08T15:22:54.903Z",
"dateReserved": "2025-04-01T21:57:32.956Z",
"dateUpdated": "2025-04-08T20:02:20.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51750 (GCVE-0-2024-51750)
Vulnerability from cvelistv5 – Published: 2024-11-12 16:34 – Updated: 2024-11-12 17:12
VLAI?
Summary
Element is a Matrix web client built using the Matrix React SDK. A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them. This was patched in Element Web and Desktop 1.11.85.
Severity ?
5 (Medium)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
< 1.11.85
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T17:12:11.203871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T17:12:21.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.85"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element is a Matrix web client built using the Matrix React SDK. A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them. This was patched in Element Web and Desktop 1.11.85."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:34:27.928Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc"
},
{
"name": "https://github.com/element-hq/element-web/commit/231073c578d5f92b33cde7aa2b0b9c5836b2dc48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/231073c578d5f92b33cde7aa2b0b9c5836b2dc48"
}
],
"source": {
"advisory": "GHSA-w36j-v56h-q9pc",
"discovery": "UNKNOWN"
},
"title": "Element allows a malicious homeserver can modify events leading to unrenderable events or rooms"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51750",
"datePublished": "2024-11-12T16:34:27.928Z",
"dateReserved": "2024-10-31T14:12:45.790Z",
"dateUpdated": "2024-11-12T17:12:21.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51749 (GCVE-0-2024-51749)
Vulnerability from cvelistv5 – Published: 2024-11-12 16:34 – Updated: 2024-11-12 17:14
VLAI?
Summary
Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85.
Severity ?
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
< 1.11.85
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T17:14:12.000969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T17:14:30.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.85"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:34:21.603Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2"
},
{
"name": "https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5"
}
],
"source": {
"advisory": "GHSA-5486-384g-mcx2",
"discovery": "UNKNOWN"
},
"title": "Element\u0027s thumbnails can be abused to misrepresent the content of an attachment"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51749",
"datePublished": "2024-11-12T16:34:21.603Z",
"dateReserved": "2024-10-31T14:12:45.790Z",
"dateUpdated": "2024-11-12T17:14:30.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47779 (GCVE-0-2024-47779)
Vulnerability from cvelistv5 – Published: 2024-10-15 15:28 – Updated: 2024-11-12 16:07
VLAI?
Summary
Element is a Matrix web client built using the Matrix React SDK. Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Note that despite superficial similarity to CVE-2024-47771, this is an entirely separate vulnerability, caused by a separate piece of code included only in Element Web. Element Web and Element Desktop share most but not all, of their code and this vulnerability exists in the part of the code base which is not shared between the projects. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
>= 1.11.70, < 1.11.81
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47779",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:44:14.817960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:44:32.771Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11.70, \u003c 1.11.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element is a Matrix web client built using the Matrix React SDK. Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Note that despite superficial similarity to CVE-2024-47771, this is an entirely separate vulnerability, caused by a separate piece of code included only in Element Web. Element Web and Element Desktop share most but not all, of their code and this vulnerability exists in the part of the code base which is not shared between the projects. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:07:45.332Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-3jm3-x98c-r34x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-3jm3-x98c-r34x"
},
{
"name": "https://github.com/element-hq/element-web/commit/8d7f2b5c1301129a488d3597f3839bd74203ee62",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/8d7f2b5c1301129a488d3597f3839bd74203ee62"
}
],
"source": {
"advisory": "GHSA-3jm3-x98c-r34x",
"discovery": "UNKNOWN"
},
"title": "Element Web vulnerable to potential exposure of access token via authenticated media"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47779",
"datePublished": "2024-10-15T15:28:00.293Z",
"dateReserved": "2024-09-30T21:28:53.236Z",
"dateUpdated": "2024-11-12T16:07:45.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59161 (GCVE-0-2025-59161)
Vulnerability from nvd – Published: 2025-09-16 16:44 – Updated: 2025-09-16 18:26
VLAI?
Summary
Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room's entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker's room and restoring the original room.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
< 1.11.112
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T17:29:24.810855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T18:26:26.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.112"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room\u0027s entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker\u0027s room and restoring the original room."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:44:15.660Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-m6c8-98f4-75rr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-m6c8-98f4-75rr"
},
{
"name": "https://github.com/element-hq/element-web/commit/8e9a43d70c90e6a3b110cd0a377296079e4c81f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/8e9a43d70c90e6a3b110cd0a377296079e4c81f5"
}
],
"source": {
"advisory": "GHSA-m6c8-98f4-75rr",
"discovery": "UNKNOWN"
},
"title": "In Element Web and Element Desktop, a malicious room can hide an unrelated room and cause it to be left when the malicious room is left"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59161",
"datePublished": "2025-09-16T16:44:15.660Z",
"dateReserved": "2025-09-09T15:23:16.327Z",
"dateUpdated": "2025-09-16T18:26:26.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32026 (GCVE-0-2025-32026)
Vulnerability from nvd – Published: 2025-04-08 15:22 – Updated: 2025-04-08 20:02
VLAI?
Summary
Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem.
Severity ?
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
>= 1.11.16, < 1.11.97
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T20:02:07.589546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T20:02:20.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11.16, \u003c 1.11.97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T15:22:54.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79"
}
],
"source": {
"advisory": "GHSA-69q3-jg79-cg79",
"discovery": "UNKNOWN"
},
"title": "Element Web could load a malicious instance of Element Call leaking media encryption keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32026",
"datePublished": "2025-04-08T15:22:54.903Z",
"dateReserved": "2025-04-01T21:57:32.956Z",
"dateUpdated": "2025-04-08T20:02:20.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51750 (GCVE-0-2024-51750)
Vulnerability from nvd – Published: 2024-11-12 16:34 – Updated: 2024-11-12 17:12
VLAI?
Summary
Element is a Matrix web client built using the Matrix React SDK. A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them. This was patched in Element Web and Desktop 1.11.85.
Severity ?
5 (Medium)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
< 1.11.85
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T17:12:11.203871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T17:12:21.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.85"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element is a Matrix web client built using the Matrix React SDK. A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them. This was patched in Element Web and Desktop 1.11.85."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:34:27.928Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc"
},
{
"name": "https://github.com/element-hq/element-web/commit/231073c578d5f92b33cde7aa2b0b9c5836b2dc48",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/231073c578d5f92b33cde7aa2b0b9c5836b2dc48"
}
],
"source": {
"advisory": "GHSA-w36j-v56h-q9pc",
"discovery": "UNKNOWN"
},
"title": "Element allows a malicious homeserver can modify events leading to unrenderable events or rooms"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51750",
"datePublished": "2024-11-12T16:34:27.928Z",
"dateReserved": "2024-10-31T14:12:45.790Z",
"dateUpdated": "2024-11-12T17:12:21.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51749 (GCVE-0-2024-51749)
Vulnerability from nvd – Published: 2024-11-12 16:34 – Updated: 2024-11-12 17:14
VLAI?
Summary
Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85.
Severity ?
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
< 1.11.85
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T17:14:12.000969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T17:14:30.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.85"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:34:21.603Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2"
},
{
"name": "https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/a00c343435d633e64de2c0548217aa611c7bbef5"
}
],
"source": {
"advisory": "GHSA-5486-384g-mcx2",
"discovery": "UNKNOWN"
},
"title": "Element\u0027s thumbnails can be abused to misrepresent the content of an attachment"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51749",
"datePublished": "2024-11-12T16:34:21.603Z",
"dateReserved": "2024-10-31T14:12:45.790Z",
"dateUpdated": "2024-11-12T17:14:30.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47779 (GCVE-0-2024-47779)
Vulnerability from nvd – Published: 2024-10-15 15:28 – Updated: 2024-11-12 16:07
VLAI?
Summary
Element is a Matrix web client built using the Matrix React SDK. Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Note that despite superficial similarity to CVE-2024-47771, this is an entirely separate vulnerability, caused by a separate piece of code included only in Element Web. Element Web and Element Desktop share most but not all, of their code and this vulnerability exists in the part of the code base which is not shared between the projects. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| element-hq | element-web |
Affected:
>= 1.11.70, < 1.11.81
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47779",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:44:14.817960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:44:32.771Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11.70, \u003c 1.11.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element is a Matrix web client built using the Matrix React SDK. Element Web versions 1.11.70 through 1.11.80 contain a vulnerability which can, under specially crafted conditions, lead to the access token becoming exposed to third parties. At least one vector has been identified internally, involving malicious widgets, but other vectors may exist. Note that despite superficial similarity to CVE-2024-47771, this is an entirely separate vulnerability, caused by a separate piece of code included only in Element Web. Element Web and Element Desktop share most but not all, of their code and this vulnerability exists in the part of the code base which is not shared between the projects. Users are strongly advised to upgrade to version 1.11.81 to remediate the issue. As a workaround, avoid granting permissions to untrusted widgets."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:07:45.332Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-3jm3-x98c-r34x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-3jm3-x98c-r34x"
},
{
"name": "https://github.com/element-hq/element-web/commit/8d7f2b5c1301129a488d3597f3839bd74203ee62",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/8d7f2b5c1301129a488d3597f3839bd74203ee62"
}
],
"source": {
"advisory": "GHSA-3jm3-x98c-r34x",
"discovery": "UNKNOWN"
},
"title": "Element Web vulnerable to potential exposure of access token via authenticated media"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47779",
"datePublished": "2024-10-15T15:28:00.293Z",
"dateReserved": "2024-09-30T21:28:53.236Z",
"dateUpdated": "2024-11-12T16:07:45.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}