Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

element-hq — Vulnerabilities & Security Advisories 23

Browse all 23 CVE security advisories affecting element-hq. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Element-HQ develops and maintains Element, an open-source communication platform built on the Matrix protocol, facilitating secure messaging and collaboration for enterprises and individuals. The software’s architecture, which relies heavily on web technologies and server-side components, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), allowing attackers to inject malicious scripts into web pages viewed by other users. Additionally, several incidents have highlighted issues related to improper access control and potential remote code execution (RCE) vectors within the underlying Synapse server implementation. These flaws often stem from complex integration points between the client interface and backend services. While the platform emphasizes end-to-end encryption for data privacy, the broader attack surface includes traditional web security risks. Recent patches have addressed critical privilege escalation bugs, underscoring the ongoing need for rigorous code auditing in this widely deployed communication infrastructure.

Top products by element-hq: synapse element-web element-android element-x-android element-desktop element-x-ios matrix-authentication-service ess-helm
CVE IDTitleCVSSSeverityPublished
CVE-2026-24044 ESS Community Helm Chart has a weak server key generation method — ess-helmCWE-336 9.1AICriticalAI2026-02-12
CVE-2025-62425 Matrix Authentication Service account password can be changed using an authenticated session without supplying the current password — matrix-authentication-serviceCWE-620 8.3 High2025-10-16
CVE-2025-61672 Synapse: Invalid device keys degrade federation functionality — synapseCWE-1287 6.5AIMediumAI2025-10-08
CVE-2025-59161 In Element Web and Element Desktop, a malicious room can hide an unrelated room and cause it to be left when the malicious room is left — element-webCWE-20 7.5AIHighAI2025-09-16
CVE-2025-27599 Element X Android vulnerable to loading malicious web pages via received intent — element-x-androidCWE-926 6.5 Medium2025-04-18
CVE-2025-32026 Element Web could load a malicious instance of Element Call leaking media encryption keys — element-webCWE-497 3.8 Low2025-04-08
CVE-2025-31126 Element X iOS allows the entity in control of the well-known file to break the confidentiality of embedded Element Call — element-x-iosCWE-200 5.3 Medium2025-04-03
CVE-2025-31127 Element X Android allows the entity in control of the well-known file to break the confidentiality embedded Element Call — element-x-androidCWE-200 5.3 Medium2025-04-03
CVE-2025-30355 Synapse vulnerable to federation denial of service via malformed events — synapseCWE-20 7.1 High2025-03-27
CVE-2025-27606 Element Android PIN autologout bypass — element-androidCWE-488 5.1 Medium2025-03-14
CVE-2024-37303 Synapse unauthenticated writes to the media repository allow planting of problematic content — synapseCWE-306 5.3 Medium2024-12-03
CVE-2024-37302 Synapse denial of service through media disk space consumption — synapseCWE-770 7.5 High2024-12-03
CVE-2024-52805 Synapse allows unsupported content types to lead to memory exhaustion — synapseCWE-770 7.5 -2024-12-03
CVE-2024-52815 Synapse allows a a malformed invite to break the invitee's `/sync` — synapseCWE-20--2024-12-03
CVE-2024-53867 Synapse Matrix has a partial room state leak via Sliding Sync — synapseCWE-497 4.3 Medium2024-12-03
CVE-2024-53863 Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders — synapseCWE-434 6.5 -2024-12-03
CVE-2024-51750 Element allows a malicious homeserver can modify events leading to unrenderable events or rooms — element-webCWE-248 5.0 Medium2024-11-12
CVE-2024-51749 Element's thumbnails can be abused to misrepresent the content of an attachment — element-webCWE-451 3.5 Low2024-11-12
CVE-2024-47779 Element Web vulnerable to potential exposure of access token via authenticated media — element-webCWE-200 7.5 -2024-10-15
CVE-2024-47771 Element Desktop vulnerable to potential exposure of access token via authenticated media — element-desktopCWE-200 7.5 -2024-10-15
CVE-2024-31208 Synapse's V2 state resolution weakness allows DoS from remote room members — synapseCWE-770 6.5 Medium2024-04-23
CVE-2024-26132 Element Android can be asked to share internal files. — element-androidCWE-200 4.0 Medium2024-02-20
CVE-2024-26131 Element Android Intent Redirection — element-androidCWE-923 8.4 High2024-02-20

This page lists every published CVE security advisory associated with element-hq. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.