Alfresco Alfresco

  1. Vendors
  2. Alfresco

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Alfresco product.

RSS Feeds for Alfresco security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Alfresco products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Alfresco Sorted by Most Security Vulnerabilities since 2018

Alfresco9 vulnerabilities

Alfresco Content Services2 vulnerabilities

Alfresco Community Share2 vulnerabilities

Alfresco Transform Services1 vulnerability

Alfresco Reset Password1 vulnerability

Alfresco Share1 vulnerability

By the Year

In 2026 there have been 2 vulnerabilities in Alfresco with an average score of 6.9 out of ten. Alfresco did not have any published security vulnerabilities last year. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year.




Year Vulnerabilities Average Score
2026 2 6.90
2025 0 0.00
2024 0 0.00
2023 0 0.00
2022 1 0.00
2021 3 6.50
2020 4 9.80
2019 5 9.80

It may take a day or so for new Alfresco vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Alfresco Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-3967 Mar 12, 2026
Alfresco Activiti <=7.19/8.8.0 Process Var Deserialization RCE CVE-2026-3967 A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization System. This manipulation causes deserialization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-26336 Feb 19, 2026
Alfresco Unauth File Disclosure via /share/page/resource/ Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
Community Share
CVE-2020-18327 Mar 04, 2022
Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 Cross Site Scripting (XSS) vulnerability exists in Alfresco Alfresco Community Edition v5.2.0 via the action parameter in the alfresco/s/admin/admin-nodebrowser API. Fixed in v6.2
Alfresco
CVE-2021-41792 Oct 21, 2021
An issue was discovered in Hyland org.alfresco:alfresco-content-services through 6.2.2.18 and org.alfresco:alfresco-transform-services through 1.3 An issue was discovered in Hyland org.alfresco:alfresco-content-services through 6.2.2.18 and org.alfresco:alfresco-transform-services through 1.3. A crafted HTML file, once uploaded, could trigger an unexpected request by the transformation engine. The response to the request is not available to the attacker, i.e., this is blind SSRF.
Alfresco Content Services
Alfresco Transform Services
CVE-2021-41791 Oct 21, 2021
An issue was discovered in Hyland org.alfresco:share through 7.0.0.2 and org.alfresco:community-share through 7.0 An issue was discovered in Hyland org.alfresco:share through 7.0.0.2 and org.alfresco:community-share through 7.0. An evasion of the XSS filter for HTML input validation in the Alfresco Share User Interface leads to stored XSS that could be exploited by an attacker (given that he has privileges on the content collaboration features).
Community Share
Share
CVE-2021-41790 Oct 21, 2021
An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2 An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment.
Alfresco Content Services
CVE-2020-15181 Sep 18, 2020
The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision. Intruders can get admin's access to the system using the vulnerability in the project. Impacts all servers where this add-on is installed. The problem is fixed in version 1.2.0
Reset Password
CVE-2020-8776 Mar 02, 2020
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via the URL property of a file.
Alfresco
CVE-2020-8777 Mar 02, 2020
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via a user profile photo, as demonstrated by a SCRIPT element in an SVG document.
Alfresco
CVE-2020-8778 Mar 02, 2020
Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 (rb65251d6-b368) has XSS via an uploaded document, when the attacker has write access to a project.
Alfresco
CVE-2019-19496 Dec 02, 2019
Alfresco Enterprise before 5.2.5 Alfresco Enterprise before 5.2.5 allows stored XSS via an uploaded HTML document.
Alfresco
CVE-2019-14223 Sep 06, 2019
An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N An issue was discovered in Alfresco Community Edition versions below 5.2.6, 6.0.N and 6.1.N. The Alfresco Share application is vulnerable to an Open Redirect attack via a crafted POST request. By manipulating the POST parameters, an attacker can redirect a victim to a malicious website over any protocol the attacker desires (e.g.,http, https, ftp, smb, etc.).
Alfresco
CVE-2019-14222 Sep 05, 2019
An issue was discovered in Alfresco Community Edition versions 6.0 and lower An issue was discovered in Alfresco Community Edition versions 6.0 and lower. An unauthenticated, remote attacker could authenticate to Alfresco's Solr Web Admin Interface. The vulnerability is due to the presence of a default private key that is present in all default installations. An attacker could exploit this vulnerability by using the extracted private key and bundling it into a PKCS12. A successful exploit could allow the attacker to gain information about the target system (e.g., OS type, system file locations, Java version, Solr version, etc.) as well as the ability to launch further attacks by leveraging the access to Alfresco's Solr Web Admin Interface.
Alfresco
CVE-2019-14224 Sep 05, 2019
An issue was discovered in Alfresco Community Edition 5.2 201707 An issue was discovered in Alfresco Community Edition 5.2 201707. By leveraging multiple components in the Alfresco Software applications, an exploit chain was observed that allows an attacker to achieve remote code execution on the victim machine. The attacker must upload malicious Solr configuration files and then receive a JMX connection from the victim, and serve a Java object that results in deserialization and code execution.
Alfresco
CVE-2019-15566 Aug 26, 2019
The Alfresco application before 1.8.7 for Android The Alfresco application before 1.8.7 for Android allows SQL injection in HistorySearchProvider.java.
Alfresco
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.