CVE-2025-2159 MEDIUM

CVE-2025-2159: Stored XSS in M-Files Admin user interface

Vendor M-Files Corporation
Product M-Files Admin
Weakness CWE-79 · XSS
Published April 4, 2025
Last update February 23, 2026

CVSS base score

5.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Stored XSS in Desktop UI in M-Files Server Admin tool before version 25.3.14681.7 on Windows allows authenticated local user to run scripts via UI

Key dates

02Disclosure timeline

April 4, 2025 CVE published
February 23, 2026 Record updated

Related vulnerabilities

04Related CVE