Documentserver
by ONLYOFFICE
Source repositories
CVEs (20)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-5301 | Med | 0.40 | 6.1 | 0.35 | Jun 12, 2025 | ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the… | ||
| CVE-2026-41034 | Med | 0.26 | 5.0 | 0.00 | Apr 16, 2026 | ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass. | ||
| CVE-2022-29777 | 0.01 | — | 0.07 | Jun 1, 2022 | Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h. | |||
| CVE-2022-29776 | 0.01 | — | 0.07 | Jun 1, 2022 | Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. | |||
| CVE-2021-25833 | 0.01 | — | 0.44 | Mar 1, 2021 | A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is controlled by an attacker through the request data and leads to arbitrary file overwriting. Using this vulnerability, a remote attacker can obtain… | |||
| CVE-2021-25832 | 0.01 | — | 0.13 | Mar 1, 2021 | A heap buffer overflow vulnerability inside of BMP image processing was found at [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v6.0.0. Using this vulnerability, an attacker is able to gain remote code executions on DocumentServer. | |||
| CVE-2021-3199 | 0.01 | — | 0.08 | Jan 22, 2021 | Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. sequence in an image upload parameter. | |||
| CVE-2025-68936 | 0.00 | — | 0.00 | Dec 25, 2025 | ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer. | |||
| CVE-2025-68935 | 0.00 | — | 0.00 | Dec 25, 2025 | ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer. | |||
| CVE-2023-46988 | 0.00 | — | 0.00 | Apr 1, 2025 | Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint, leading to unauthorized access to sensitive files and potential Denial of Service… | |||
| CVE-2023-30186 | 0.00 | — | 0.02 | Aug 14, 2023 | A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. | |||
| CVE-2023-30188 | 0.00 | — | 0.02 | Aug 14, 2023 | Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file. | |||
| CVE-2023-30187 | 0.00 | — | 0.02 | Aug 14, 2023 | An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. | |||
| CVE-2021-25831 | 0.00 | — | 0.12 | Mar 1, 2021 | A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. An attacker must request the conversion of the crafted file from PPTT into PPTX format. Using the chain of two other bugs related to improper string handling, a remote… | |||
| CVE-2021-25830 | 0.00 | — | 0.12 | Mar 1, 2021 | A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling, an… | |||
| CVE-2021-25829 | 0.00 | — | 0.07 | Mar 1, 2021 | An improper binary stream data handling issue was found in the [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Using this bug, an attacker is able to produce a denial of service attack that can eventually shut down the target server. | |||
| CVE-2020-11534 | 0.00 | — | 0.02 | Apr 15, 2020 | An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the NSFileDownloader function to pass parameters to a binary (such as curl or wget) and remotely execute code on a victim's server. | |||
| CVE-2020-11535 | 0.00 | — | 0.02 | Apr 15, 2020 | An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit XML injection to enter an attacker-controlled parameter into the x2t binary, to rewrite this binary and/or libxcb.so.1, and execute code on a victim's server. | |||
| CVE-2020-11536 | 0.00 | — | 0.03 | Apr 15, 2020 | An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the unzip function to rewrite a binary and remotely execute code on a victim's server. | |||
| CVE-2020-11537 | 0.00 | — | 0.01 | Apr 15, 2020 | A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can execute arbitrary SQL queries via injection to DocID parameter of Websocket API. |
- risk 0.40cvss 6.1epss 0.35
ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the…
- risk 0.26cvss 5.0epss 0.00
ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.
- CVE-2022-29777Jun 1, 2022risk 0.01cvss —epss 0.07
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h.
- CVE-2022-29776Jun 1, 2022risk 0.01cvss —epss 0.07
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp.
- CVE-2021-25833Mar 1, 2021risk 0.01cvss —epss 0.44
A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is controlled by an attacker through the request data and leads to arbitrary file overwriting. Using this vulnerability, a remote attacker can obtain…
- CVE-2021-25832Mar 1, 2021risk 0.01cvss —epss 0.13
A heap buffer overflow vulnerability inside of BMP image processing was found at [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v6.0.0. Using this vulnerability, an attacker is able to gain remote code executions on DocumentServer.
- CVE-2021-3199Jan 22, 2021risk 0.01cvss —epss 0.08
Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. sequence in an image upload parameter.
- CVE-2025-68936Dec 25, 2025risk 0.00cvss —epss 0.00
ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.
- CVE-2025-68935Dec 25, 2025risk 0.00cvss —epss 0.00
ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.
- CVE-2023-46988Apr 1, 2025risk 0.00cvss —epss 0.00
Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint, leading to unauthorized access to sensitive files and potential Denial of Service…
- CVE-2023-30186Aug 14, 2023risk 0.00cvss —epss 0.02
A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file.
- CVE-2023-30188Aug 14, 2023risk 0.00cvss —epss 0.02
Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file.
- CVE-2023-30187Aug 14, 2023risk 0.00cvss —epss 0.02
An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file.
- CVE-2021-25831Mar 1, 2021risk 0.00cvss —epss 0.12
A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. An attacker must request the conversion of the crafted file from PPTT into PPTX format. Using the chain of two other bugs related to improper string handling, a remote…
- CVE-2021-25830Mar 1, 2021risk 0.00cvss —epss 0.12
A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling, an…
- CVE-2021-25829Mar 1, 2021risk 0.00cvss —epss 0.07
An improper binary stream data handling issue was found in the [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Using this bug, an attacker is able to produce a denial of service attack that can eventually shut down the target server.
- CVE-2020-11534Apr 15, 2020risk 0.00cvss —epss 0.02
An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the NSFileDownloader function to pass parameters to a binary (such as curl or wget) and remotely execute code on a victim's server.
- CVE-2020-11535Apr 15, 2020risk 0.00cvss —epss 0.02
An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit XML injection to enter an attacker-controlled parameter into the x2t binary, to rewrite this binary and/or libxcb.so.1, and execute code on a victim's server.
- CVE-2020-11536Apr 15, 2020risk 0.00cvss —epss 0.03
An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the unzip function to rewrite a binary and remotely execute code on a victim's server.
- CVE-2020-11537Apr 15, 2020risk 0.00cvss —epss 0.01
A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can execute arbitrary SQL queries via injection to DocID parameter of Websocket API.