CVE-2026-0932
HIGH WAF: Medium
CVSS 7.3
Published: 2026-04-01
CWE-918
Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| m-files | m-files_server | up to 26.3.15818.5 |
References
- empower.m-files.com (Vendor Advisory)
- product.m-files.com (Vendor Advisory)