ONLYOFFICE
Products
6- 20 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
25| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-5301 | Med | 0.40 | 6.1 | 0.35 | Jun 12, 2025 | ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the… | ||
| CVE-2026-41030 | Med | 0.33 | 6.2 | 0.00 | Apr 16, 2026 | In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges. | ||
| CVE-2026-38587 | Med | 0.28 | 4.3 | 0.00 | May 26, 2026 | An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the… | ||
| CVE-2026-41034 | Med | 0.26 | 5.0 | 0.00 | Apr 16, 2026 | ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass. | ||
| CVE-2022-29777 | 0.01 | — | 0.07 | Jun 1, 2022 | Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h. | |||
| CVE-2022-29776 | 0.01 | — | 0.07 | Jun 1, 2022 | Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. | |||
| CVE-2021-25833 | 0.01 | — | 0.44 | Mar 1, 2021 | A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is controlled by an attacker through the request data and leads to arbitrary file overwriting. Using this vulnerability, a remote attacker can obtain… | |||
| CVE-2021-25832 | 0.01 | — | 0.13 | Mar 1, 2021 | A heap buffer overflow vulnerability inside of BMP image processing was found at [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v6.0.0. Using this vulnerability, an attacker is able to gain remote code executions on DocumentServer. | |||
| CVE-2021-3199 | 0.01 | — | 0.08 | Jan 22, 2021 | Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. sequence in an image upload parameter. | |||
| CVE-2025-68936 | 0.00 | — | 0.00 | Dec 25, 2025 | ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer. | |||
| CVE-2025-68935 | 0.00 | — | 0.00 | Dec 25, 2025 | ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer. | |||
| CVE-2023-46988 | 0.00 | — | 0.00 | Apr 1, 2025 | Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint, leading to unauthorized access to sensitive files and potential Denial of Service… | |||
| CVE-2023-30188 | 0.00 | — | 0.02 | Aug 14, 2023 | Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file. | |||
| CVE-2023-30186 | 0.00 | — | 0.02 | Aug 14, 2023 | A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. | |||
| CVE-2023-30187 | 0.00 | — | 0.02 | Aug 14, 2023 | An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. | |||
| CVE-2022-47412 | 0.00 | — | 0.01 | Feb 7, 2023 | Given a malicious document provided by an attacker, the ONLYOFFICE Workspace DMS is vulnerable to a stored (persistent, or "Type II") cross-site scripting (XSS) condition. | |||
| CVE-2022-24229 | 0.00 | — | 0.02 | Apr 8, 2022 | A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary HTML or JavaScript through /example/editor. | |||
| CVE-2021-40864 | 0.00 | — | 0.02 | Sep 10, 2021 | The Translate plugin 6.1.x through 6.3.x before 6.3.0.72 for ONLYOFFICE Document Server lacks escape calls for the msg.data and text fields. | |||
| CVE-2021-25831 | 0.00 | — | 0.12 | Mar 1, 2021 | A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. An attacker must request the conversion of the crafted file from PPTT into PPTX format. Using the chain of two other bugs related to improper string handling, a remote… | |||
| CVE-2021-25830 | 0.00 | — | 0.12 | Mar 1, 2021 | A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling, an… |
- risk 0.40cvss 6.1epss 0.35
ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the…
- risk 0.33cvss 6.2epss 0.00
In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.
- risk 0.28cvss 4.3epss 0.00
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the…
- risk 0.26cvss 5.0epss 0.00
ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.
- CVE-2022-29777Jun 1, 2022risk 0.01cvss —epss 0.07
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h.
- CVE-2022-29776Jun 1, 2022risk 0.01cvss —epss 0.07
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp.
- CVE-2021-25833Mar 1, 2021risk 0.01cvss —epss 0.44
A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is controlled by an attacker through the request data and leads to arbitrary file overwriting. Using this vulnerability, a remote attacker can obtain…
- CVE-2021-25832Mar 1, 2021risk 0.01cvss —epss 0.13
A heap buffer overflow vulnerability inside of BMP image processing was found at [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v6.0.0. Using this vulnerability, an attacker is able to gain remote code executions on DocumentServer.
- CVE-2021-3199Jan 22, 2021risk 0.01cvss —epss 0.08
Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. sequence in an image upload parameter.
- CVE-2025-68936Dec 25, 2025risk 0.00cvss —epss 0.00
ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.
- CVE-2025-68935Dec 25, 2025risk 0.00cvss —epss 0.00
ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.
- CVE-2023-46988Apr 1, 2025risk 0.00cvss —epss 0.00
Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint, leading to unauthorized access to sensitive files and potential Denial of Service…
- CVE-2023-30188Aug 14, 2023risk 0.00cvss —epss 0.02
Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file.
- CVE-2023-30186Aug 14, 2023risk 0.00cvss —epss 0.02
A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file.
- CVE-2023-30187Aug 14, 2023risk 0.00cvss —epss 0.02
An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file.
- CVE-2022-47412Feb 7, 2023risk 0.00cvss —epss 0.01
Given a malicious document provided by an attacker, the ONLYOFFICE Workspace DMS is vulnerable to a stored (persistent, or "Type II") cross-site scripting (XSS) condition.
- CVE-2022-24229Apr 8, 2022risk 0.00cvss —epss 0.02
A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary HTML or JavaScript through /example/editor.
- CVE-2021-40864Sep 10, 2021risk 0.00cvss —epss 0.02
The Translate plugin 6.1.x through 6.3.x before 6.3.0.72 for ONLYOFFICE Document Server lacks escape calls for the msg.data and text fields.
- CVE-2021-25831Mar 1, 2021risk 0.00cvss —epss 0.12
A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. An attacker must request the conversion of the crafted file from PPTT into PPTX format. Using the chain of two other bugs related to improper string handling, a remote…
- CVE-2021-25830Mar 1, 2021risk 0.00cvss —epss 0.12
A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling, an…