CVE-2025-68917
Description
ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ONLYOFFICE Docs before 9.2.1 contains a stored XSS vulnerability in the comment editing form's textarea, allowing arbitrary JavaScript execution.
The vulnerability is a stored cross-site scripting (XSS) issue in the comment editing form of ONLYOFFICE Docs. In versions prior to 9.2.1, user input entered into the textarea of the comment form is not properly sanitized before being stored and later rendered to other users [1]. This allows an attacker to inject malicious JavaScript code into a comment.
To exploit this, an attacker must be an authenticated user who can create or edit comments on documents. The malicious comment is stored on the server and subsequently displayed to any user viewing the document. No special network access or additional authentication is required beyond a valid account [1].
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, theft of sensitive data, or arbitrary actions performed on behalf of the victim within the ONLYOFFICE application [1].
The vulnerability is fixed in ONLYOFFICE Docs version 9.2.1. Users are advised to upgrade immediately to mitigate the risk [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <9.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.