Onlyoffice Document Server — known CVE vulnerabilities
Every CVE whose affected-product data names Onlyoffice Document Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (21)
CVE-2023-30186 — CVSS 9.8 (critical): A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via…
CVE-2023-30187 — CVSS 9.8 (critical): An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code…
CVE-2020-11536 — CVSS 9.8 (critical): An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the unzip function…
CVE-2020-11537 — CVSS 9.8 (critical): A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can execute arbitrary SQL queries via injection to…
CVE-2020-11535 — CVSS 9.8 (critical): An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit XML injection to…
CVE-2021-25830 — CVSS 9.8 (critical): A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the…
CVE-2021-25831 — CVSS 9.8 (critical): A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. An attacker must request the…
CVE-2021-25832 — CVSS 9.8 (critical): A heap buffer overflow vulnerability inside of BMP image processing was found at [core] module of ONLYOFFICE DocumentServer…
CVE-2021-25833 — CVSS 9.8 (critical): A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is…
CVE-2021-3199 — CVSS 9.8 (critical): Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /…
CVE-2020-11534 — CVSS 9.8 (critical): An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the NSFileDownloader…
CVE-2022-29776 — CVSS 9.8 (critical): Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component…
CVE-2022-29777 — CVSS 9.8 (critical): Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component…
CVE-2022-48422 — CVSS 7.8 (high): ONLYOFFICE Docs through 7.3 on certain Linux distributions allows local users to gain privileges via a Trojan horse libgcc_s.so.1 in the…
CVE-2023-30188 — CVSS 7.5 (high): Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via…
CVE-2021-25829 — CVSS 7.5 (high): An improper binary stream data handling issue was found in the [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Using this bug…
CVE-2023-46988 — CVSS 6.7 (medium): Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating…
CVE-2025-68936 — CVSS 6.4 (medium): ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.
CVE-2025-68935 — CVSS 6.4 (medium): ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.
CVE-2022-24229 — CVSS 6.1 (medium): A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary…
CVE-2023-50883 — CVSS 6.1 (medium): ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox…