彙總 element 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 路徑處理缺陷、記憶體損壞與輸入驗證問題,在 生產負載與軟體部署 使用場景中可能帶來 檔案覆寫、記憶體損壞與應用程式崩潰 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-45078 | Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1. | [email protected] | 6.8 | 0.13% | 2026-05-28 | 2026-06-17 |
| CVE-2026-45076 | Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1. | [email protected] | 5.1 | 0.37% | 2026-05-28 | 2026-06-17 |
| CVE-2025-27606 | Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can exploit this to guess the PIN. Version 1.6.34 solves the issue. | [email protected] | 5.1 | 0.18% | 2025-03-14 | 2026-06-17 |
| CVE-2024-26132 | Element Android is an Android Matrix Client. A third-party malicious application installed on the same phone can force Element Android, version 0.91.0 through 1.6.12, to share files stored under the `files` directory in the application's private data directory to an arbitrary room. The impact of the attack is reduced by the fact that the databases stored in this folder are encrypted. However, it contains some other potentially sensitive information, such as the FCM token. Forks of Element Androi | [email protected] | 4.0 | 0.39% | 2024-02-28 | 2026-06-17 |
| CVE-2024-26131 | Element Android is an Android Matrix Client. Element Android version 1.4.3 through 1.6.10 is vulnerable to intent redirection, allowing a third-party malicious application to start any internal activity by passing some extra parameters. Possible impact includes making Element Android display an arbitrary web page, executing arbitrary JavaScript; bypassing PIN code protection; and account takeover by spawning a login screen to send credentials to an arbitrary home server. This issue is fixed in E | [email protected] | 8.4 | 0.47% | 2024-02-28 | 2026-06-17 |
| CVE-2022-41904 | Element iOS is an iOS Matrix client provided by Element. It is based on MatrixSDK. Prior to version 1.9.7, events encrypted using Megolm for which trust could not be established did not get decorated accordingly (with warning shields). Therefore a malicious homeserver could inject messages into the room without the user being alerted that the messages were not sent by a verified group member, even if the user has previously verified all group members. This issue has been patched in Element iOS 1 | [email protected] | 6.4 | 0.41% | 2022-11-11 | 2026-06-17 |
| CVE-2022-23597 | Element Desktop is a Matrix client for desktop platforms with Element Web at its core. Element Desktop before 1.9.7 is vulnerable to a remote program execution bug with user interaction. The exploit is non-trivial and requires clicking on a malicious link, followed by another button click. To the best of our knowledge, the vulnerability has never been exploited in the wild. If you are using Element Desktop < 1.9.7, we recommend upgrading at your earliest convenience. If successfully exploited, t | [email protected] | 8.3 | 1.47% | 2022-02-01 | 2026-06-17 |