Stored Cross-Site Scripting in M-Files Server Admin Tool by M-Files
CVE-2025-2159

5.1MEDIUM

Key Information:

Vendor: M-files Corporation
Status: M-files Admin
Vendor: CVE Published:; 4 April 2025

🔔 Create M-files Corporation Vulnerability Alert

What is CVE-2025-2159?

A vulnerability in the M-Files Server Admin Tool allows authenticated local users to execute scripts through the user interface. This stored XSS flaw affects versions before 25.3.14681.7 on Windows platforms, posing a risk where attackers can exploit the vulnerability to run arbitrary scripts within the application, potentially leading to unauthorized access or data exposure.

Affected Version(s)

M-Files Admin Windows 0 < 25.3.14681.7

References

https://product.m-files.com/security-advisories/cve-2025-...

vendor-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2025
Vulnerability Reserved
Mar 10, 2025

Credit

Pasi Orovuo / Solita Oy

Teemu Laakso / Solita Oy