CVE-2026-0932

EUVD-2026-17865
Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Affected Products (NVD)
VendorProductVersion
m-filesm-files_server
𝑥
< 26.3.15818.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://empower.m-files.com/security-advisories/CVE-2026-0932
https://product.m-files.com/security-advisories/cve-2026-0932/