Unrated severityNVD Advisory· Published Jan 7, 2025· Updated Nov 3, 2025

URL fetching can be used to exfiltrate arbitrary INI file values and environment variables

CVE-2024-12426

Description

Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.

URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.

This issue affects LibreOffice: from 24.8 before < 24.8.4.

Affected products

The Document Foundation/Libreoffice Onlinellm-fuzzy2 versions
>=24.8, <24.8.4+ 1 more
- (no CPE)range: >=24.8, <24.8.4
- (no CPE)range: 24.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.libreoffice.org/about-us/security/advisories/cve-2024-12426mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000