This page lists publicly disclosed CVE vulnerabilities affecting m-files m-files_web (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-3087 | Stored XSS in M-Files Web versions from 25.1.14445.5 to 25.2.14524.4 allows an authenticated user to run scripts | [email protected] | 5.1 | 0.22% | 2025-04-04 | 2026-06-17 |
| CVE-2021-41807 | Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. | [email protected] | 7.5 | 1.11% | 2022-01-18 | 2026-06-17 |
| CVE-2021-37253 | M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application | [email protected] | 7.5 | 2.84% | 2021-12-05 | 2026-06-17 |
| CVE-2021-37254 | In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server. | [email protected] | 7.5 | 1.30% | 2021-10-28 | 2026-06-17 |