Vendor
ONLYOFFICE
Products
2
CVEs
4
Across products
4
Status
Private
Products
2- 3 CVEs
- 1 CVE
Recent CVEs
4| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41030 | Med | 0.40 | 6.2 | 0.00 | Apr 16, 2026 | In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges. | |
| CVE-2026-41034 | Med | 0.33 | 5.0 | 0.00 | Apr 16, 2026 | ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass. | |
| CVE-2025-68936 | 0.00 | — | 0.00 | Dec 25, 2025 | ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer. | ||
| CVE-2025-68935 | 0.00 | — | 0.00 | Dec 25, 2025 | ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer. |