CVE-2026-0932 MEDIUM

CVE-2026-0932

Vendor M-Files Corporation

Product M-Files Server

Weakness CWE-918 · SSRF

Published April 1, 2026

Last update April 1, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.

Key dates

02Disclosure timeline

April 1, 2026 CVE published

April 1, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-0932 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2024-39598 [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI) CVE-2026-44285 FastGPT: SSRF Protection Bypass via `externalFile` in Dataset Preview API CVE-2026-39647 WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin <= 5.11 - Server Side Request Forgery (SSRF) vulnerability CVE-2026-41272 Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) CVE-2026-7049 PixelYourSite Pro <= 12.5.0.1 - Unauthenticated Blind Server-Side Request Forgery via 'urls[]' Parameter