M-files M-files_server
34 CVEs affecting M-files M-files_server. Latest disclosed: 2026-04-01. Critical: 1, High: 8.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-10127 | Critical | 9.8 | 2024-11-20 | Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user aut… |
CVE-2025-0635 | High | 7.5 | 2025-01-23 | Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain condit… |
CVE-2024-4056 | High | 7.5 | 2024-04-26 | Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume compu… |
CVE-2023-6912 | High | 7.5 | 2023-12-20 | Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially comprom… |
CVE-2023-3405 | High | 7.5 | 2023-06-27 | Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service |
CVE-2023-0383 | High | 7.5 | 2023-04-20 | User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption. |
CVE-2021-41807 | High | 7.5 | 2022-01-18 | Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of… |
CVE-2026-0932 | High | 7.3 | 2026-04-01 | Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an un… |
CVE-2025-3086 | High | 7.1 | 2025-04-04 | Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial… |
CVE-2025-11681 | Medium | 6.5 | 2025-11-17 | Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause… |
CVE-2025-5964 | Medium | 6.5 | 2025-06-15 | A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server. |
CVE-2024-6789 | Medium | 6.5 | 2024-08-27 | A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated us… |
CVE-2023-6910 | Medium | 6.5 | 2023-12-20 | A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage… |
CVE-2023-0384 | Medium | 6.5 | 2023-04-20 | User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption for a scheduled… |
CVE-2023-0382 | Medium | 6.5 | 2023-04-05 | User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption. |
CVE-2022-3284 | Medium | 6.5 | 2023-03-06 | Download key for a file in a vault was passed in an insecure way that could easily be logged in M-Files New Web in M-Files before 22.11.12011.0. This issue aff… |
CVE-2023-6117 | Medium | 5.7 | 2023-11-22 | A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the M-Files server before 23… |
CVE-2023-6239 | Medium | 5.4 | 2023-11-28 | Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven per… |
CVE-2022-1911 | Medium | 5.3 | 2022-11-30 | Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the under… |
CVE-2022-4862 | Medium | 5.0 | 2023-03-06 | Rendering of HTML provided by another authenticated user is possible in browser on M-Files Web before 22.12.12140.3. This allows the content to steal user sens… |