CVE-2025-32026
3.8
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Summary
Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| element-hq | element-web | >= 1.11.16, < 1.11.97 | affected |
Weaknesses
- CWE-497: CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.