Skip to main content

Filemaker Server

5 CVEs product

Monthly

CVE-2026-43752 MEDIUM PATCH This Month

Arbitrary code execution on the host operating system is achievable by an authenticated FileMaker Server administrator via a malicious file upload through the Open Source LLM setup feature - specifically the Miniforge installer upload path - in the Admin Console. All FileMaker Server versions prior to 26.0.1 are affected; the flaw is classified as CWE-434 (unrestricted upload of a dangerous file type) and was reported directly by Apple/Claris product security. No public exploit code or CISA KEV listing exists at time of analysis, and SSVC rates exploitation as none with no automation feasibility, substantially limiting real-world risk despite the RCE classification.

RCE File Upload Filemaker Server
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2025-46320 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. [CVSS 6.1 MEDIUM]

RCE XSS Filemaker Server
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-27790 HIGH This Week

Claris International has resolved an issue of potentially allowing unauthorized access to records stored in databases hosted on FileMaker Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Filemaker Server
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-27794 MEDIUM This Month

Claris FileMaker Server before version 20.3.2 was susceptible to a reflected Cross-Site Scripting vulnerability due to an improperly handled parameter in the FileMaker WebDirect login endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Filemaker Server
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2021-44147 MEDIUM POC This Month

An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Filemaker Pro Filemaker Server
NVD
CVSS 3.1
5.5
EPSS
1.1%
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Arbitrary code execution on the host operating system is achievable by an authenticated FileMaker Server administrator via a malicious file upload through the Open Source LLM setup feature - specifically the Miniforge installer upload path - in the Admin Console. All FileMaker Server versions prior to 26.0.1 are affected; the flaw is classified as CWE-434 (unrestricted upload of a dangerous file type) and was reported directly by Apple/Claris product security. No public exploit code or CISA KEV listing exists at time of analysis, and SSVC rates exploitation as none with no automation feasibility, substantially limiting real-world risk despite the RCE classification.

RCE File Upload Filemaker Server
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. [CVSS 6.1 MEDIUM]

RCE XSS Filemaker Server
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Claris International has resolved an issue of potentially allowing unauthorized access to records stored in databases hosted on FileMaker Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Filemaker Server
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Claris FileMaker Server before version 20.3.2 was susceptible to a reflected Cross-Site Scripting vulnerability due to an improperly handled parameter in the FileMaker WebDirect login endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Filemaker Server
NVD
EPSS 1% CVSS 5.5
MEDIUM POC This Month

An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF XXE Filemaker Pro +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy