About
Search
Welcome to M-Files Empower – our new support experience. We'd love to hear what you think!Give feedback
Home/Product information and downloads

Security Advisories

Detailed information on public vulnerabilities in M-Files products. Additional M-Files security related information available in M-Files Trust Center.

2026

CVE IDDate issuedTitleCVSSProducts
CVE-2026-09322026-04-01SSRF Vulnerability in M-Files Server6.9M-Files Server before 26.3.15818.5
CVE-2026-06632026-01-21Denial of Service Condition in M-Files Server6.9M-Files Server before 26.1.15632.3

2025

CVE IDDate issuedTitleCVSSProducts
CVE-2025-130082025-12-19Session Token Disclosure in M-Files Web8.6M-Files Server before 25.12.15491.7 M-Files Server before LTS 25.8 SR3 (25.8.15085.18) M-Files Server before LTS 25.2 SR3 (25.2.14524.14) M-Files Server before LTS 24.8 SR5 (24.8.13981.17)
CVE-2025-142672025-12-18Unintended temporary cached data included in a structure only copy intended to be empty of data5,6M-Files Server before 25.12.15491.7
CVE-2025-143182025-12-18Improper access validation in M-Files Server5.3M-Files Server before 25.12.15491.7
CVE-2025-116812025-11-17Denial of Service condition in M-Files Server7.1M-Files Server before 25.11.15392.1 M-Files Server before 25.2 LTS SR2 (25.2.14524.13) M-Files Server before 25.8 LTS SR2 (25.8.15085.17)
CVE-2025-98262025-09-15Stored XSS in M-Files Hubshare7.0M-Files Hubshare before Aug ’25 (25.8)
CVE-2025-20912025-06-16Open Redirection in M-Files Mobile4.8M-Files Mobile iOS and Android applications before 25.6.0
CVE-2025-59642025-06-16Path traversal in M-Files API8.4M-Files Server before 25.6.14925.0 M-Files Server before 25.2 LTS SR1 (25.2.14524.9) M-Files Server before 24.8 LTS SR4 (24.8.13981.16)
CVE-2025-30862025-04-04User in anonymous role could create and delete views6.3M-Files Server before 25.3.14549
CVE-2025-30872025-04-04XSS Vulnerability in M-Files Web5.1M-Files Web versions 25.1.14445.5 and 25.2.14524.4
CVE-2025-21592025-04-04Stored XSS in M-Files Admin user interface5.1M-Files Admin tool before 25.3.14681.7
CVE-2025-06352025-01-23Denial of Service condition in M-Files Server6.3M-Files Server before 25.1.14445.5
CVE-2025-06482025-01-23M-Files Server crash via EOT database driver configuration5.9M-Files Server before 25.1.14445.5 M-Files Server before 24.8 LTS SR3 (24.8.13981.14)
CVE-2025-06192025-01-23Unsafe stored password recovery4.6M-Files Server before 25.1.14445.5

2024

CVE IDDate issuedTitleCVSSProducts
CVE-2024-101262024-11-20Local file inclusion vulnerability in M-Files Server5.3M-Files Server before 24.11 M-Files Server before 23.8 LTS SR7 M-Files Server before 24.2 LTS SR3 M-Files Server before 24.8 LTS SR1
CVE-2024-101272024-11-20Support for authentication bypass condition in M-Files LDAP authentication9.2M-Files Server before 24.11 M-Files Server before 24.8 LTS SR2 (24.8.13981.13)
CVE-2024-111762024-11-20Incorrect evaluation of effective permissions in M-Files Aino5.3M-Files Aino before 24.10
CVE-2024-91742024-10-02Stored HTML Injection in Hubshare Social module6.9M-Files Hubshare before 5.0.8.6
CVE-2024-93332024-10-02Permission bypass in M-Files Connector for Copilot5.3M-Files Connector for Copilot before 24.9.3
CVE-2024-67892024-08-27Path traversal in M-Files API8.4M-Files Server before 24.8.13981.0 M-Files Server before 24.2 LTS SR2 (24.2.13421.15) M-Files Server before 23.8 LTS SR6 (23.8.12892.0)
CVE-2024-68812024-07-29Stored XSS Vulnerability8.5M-Files Hubshare before 5.0.6.0
CVE-2024-61242024-07-29Reflected XSS in Hubshare via Open Redirect8.5M-Files Hubshare before 5.0.6.0
CVE-2024-40562024-04-26Denial of Service condition in M-Files Server7.5M-Files Server before 24.4.13592.4 and after 23.11 M-Files Server not affected at 24.2 LTS
CVE-2024-51422024-04-26XSS Vulnerability in Hubshare7.0M-Files Hubshare before 5.0.6.0
CVE-2023-44792024-03-04Stored XSS Vulnerability in M-Files Web7.3M-Files Web before 23.8
CVE-2024-05632024-02-23Denial of service condition in M-Files Server4.3M-Files Server before 24.2 M-Files Server before 23.2 LTS SR7 M-Files Server before 23.8 LTS SR5

2023

CVE IDDate issuedTitleCVSSProducts
CVE-2023-69122023-12-19Brute force vulnerability in M-Files user authentication7.5M-Files Server before 23.12.13205.0 M-Files Server before 23.2 LTS SR6 (this service release is not affected) M-Files Server before 23.8 LTS SR4 (this service release is not affected)
CVE-2023-69102023-12-18Uncontrolled Resource Consumption in M-Files Server6.5M-Files Server before 23.12.13195.0 M-Files Server before 23.2 LTS SR6 (this service release is not affected) M-Files Server before 23.8 LTS SR4 (this service release is not affected)
CVE-2023-61172023-11-22M-Files REST API allows Denial of Service5.7M-Files Server before 23.11.13156.0
CVE-2023-61892023-11-22Elevation of Privilege in M-Files Server4.3M-Files Server before 23.11.13156.0
CVE-2023-62392023-11-21Incorrect calculation of effective permissions5.4M-Files Server 23.9 M-Files Server 23.10 M-Files Server 23.11 versions prior to 23.11.13168.7
CVE-2023-23252023-10-20Stored XSS Vulnerability in M-Files Classic Web7.3M-Files Server before 23.10 M-Files Server before 23.2 LTS SR4 (this service release is not affected) M-Files Server before 23.8 LTS SR1 (this service release is not affected)
CVE-2023-55242023-10-20M-Files Web Companion allowed Remote Code Execution for some filetypes8.2M-Files Web Companion before 23.10 M-Files Web Companion before 23.8 LTS SR1
CVE-2023-55232023-10-20M-Files Web Companion allows Remote Code Execution8.6M-Files Web Companion before 23.10 M-Files Web Companion before 23.8 LTS SR1
CVE-2023-34062023-08-25Path traversal issue in M-Files Classic Web7.7M-Files Classic Web before 23.6.12695.3 M-Files Classic Web before 23.2 LTS SR3
CVE-2023-34052023-06-28Denial of service in M-Files Server7.5M-Files Server before 23.6.12695.3 (excluding 23.2 SR2 and newer)
CVE-2023-34252023-06-27Out-of-Bounds memory read in M-Files Server6.5M-Files Server before 23.8.12892.6 M-Files Server before 23.2 LTS SR3
CVE-2023-24802023-05-25Elevation of Privilege in M-Files Desktop Client7.5M-Files Client before 23.5.12598.0
CVE-2023-03832023-04-20Uncontrolled Resource Consumption in M-Files Server7.5M-Files Server before 23.4.12528.1
CVE-2023-03842023-04-20Uncontrolled Resource Consumption in M-Files Server6.5M-Files Server before 23.4.12528.1
CVE-2023-21122023-04-20Desktop Component allows lateral movement between sessions3.6M-Files Desktop before 23.4.12455.0
CVE-2023-03822023-04-05Uncontrolled Resource Consumption in M-Files Server6.5M-Files Server before 23.4.12528.1
CVE-2023-02132023-03-29Elevation of Privilege8.8M-Files version before 22.6.
CVE-2022-48622023-03-06XSS vulnerability in M-Files Web5.0M-Files Web before 22.12.12140.3.
CVE-2022-32842023-03-06Insecure way of passing a download key6.5M-Files New Web before 22.11.12011.0.

2022

CVE IDDate issuedTitleCVSSProducts
CVE-2022-48612022-12-30Incorrect Implementation of Authentication Algorithm4.8M-Files Client before 22.5.11356.0.
CVE-2022-48582022-12-30Insertion of Sensitive Information into Log File4.4M-Files Server before 22.10.11846.0.
CVE-2022-42642022-12-09Incorrect privilege assignment6.5M-Files Web Classic version before 22.8.11691.0.
CVE-2022-42702022-12-02Incorrect privilege assignment2.0M-Files Web Classic version before 22.5.11436.1. M-Files Web vNext version before 22.5.11436.1.
CVE-2022-16062022-11-30Incorrect Privilege Assignment2.4All M-Files Server versions before 22.3.111.64.0 and before 22.3.11237.1.
CVE-2022-19112022-11-30Information disclosure in M-Files Server5.3M-Files Server before 22.6.11534.1 and before 22.6.11505.0.
CVE-2022-36022022-11-01OpenSSL 3.x Vulnerability and M-Files7.5M-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2022-390172022-08-20Avoid any XSS script execution from comments areas (social, document comment, form comment, etc)8.2Hubshare
CVE-2022-390192022-08-20Pdftron: add security layer to avoid the lack of authorisation check on rendered images from pdftron8.2Hubshare
CVE-2022-390182022-08-20Pdftron: add security layer to avoid the lack of authorisation check on rendered images from pdftron8.2Hubshare
CVE-2022-390162022-08-20Pdftron: avoid possible account takeover with XSS8.2Hubshare
CVE-2021-418102022-05-02Script injection in M-Files Admin5.2M-Files Admin before 22.2.11051.0
CVE-2022-229652022-04-01Spring Framework RCE and M-Files9.8M-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2022-268092022-03-09Remote Procedure Call Runtime Remote Code Execution Vulnerability and M-Files9.8M-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2021-418092022-01-17SSRF Vulnerability3.5M-Files Server version before 22.1.11017.1
CVE-2021-418082022-01-17Information disclosure2.0M-Files Server version before 21.11.10775.0
CVE-2021-418072022-01-17Lack of rate limiting7.5M-Files Server version before 21.12.10873.0 M-Files Web version before 21.12.10873.0

2021

CVE IDDate issuedTitleCVSSProducts
CVE-2021-372532021-12-03Denial of Service7.5M-Files Classic Web
CVE-2021-372542021-10-27Information Disclosure Vulnerability7.5M-Files Web version before 20.10.9524.1 M-Files Web version before 20.10.9445.0
Popular links
What is enterprise content management?Business process managementCollaboration solutionsSolutions by industryKey capabilities
About M-Files
Contact usSchedule a demoCareersTrust CenterPrivacy policySecurity Hall of Fame
Resources
Customer Support PortalPartner HubDeveloper PortalUser guideM-Files CommunityTerms and conditions