Browse all 23 CVE security advisories affecting element-hq. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Element-HQ develops and maintains Element, an open-source communication platform built on the Matrix protocol, facilitating secure messaging and collaboration for enterprises and individuals. The software’s architecture, which relies heavily on web technologies and server-side components, has historically exposed it to common web application vulnerabilities. Recorded Common Vulnerabilities and Exposures (CVEs) frequently involve cross-site scripting (XSS), allowing attackers to inject malicious scripts into web pages viewed by other users. Additionally, several incidents have highlighted issues related to improper access control and potential remote code execution (RCE) vectors within the underlying Synapse server implementation. These flaws often stem from complex integration points between the client interface and backend services. While the platform emphasizes end-to-end encryption for data privacy, the broader attack surface includes traditional web security risks. Recent patches have addressed critical privilege escalation bugs, underscoring the ongoing need for rigorous code auditing in this widely deployed communication infrastructure.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-27606 | Element Android PIN autologout bypass — element-androidCWE-488 | 5.1 | Medium | 2025-03-14 |
| CVE-2024-26132 | Element Android can be asked to share internal files. — element-androidCWE-200 | 4.0 | Medium | 2024-02-20 |
| CVE-2024-26131 | Element Android Intent Redirection — element-androidCWE-923 | 8.4 | High | 2024-02-20 |
This page lists every published CVE security advisory associated with element-hq. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.