Browse all 8 CVE security advisories affecting OnlyOffice. AI-powered Chinese analysis, POCs, and references for each vulnerability.
ONLYOFFICE is a collaborative platform offering document editing, management, and office suite functionality. Historically, vulnerabilities have included remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation and access control flaws. The platform has faced security concerns, with eight CVEs recorded to date, highlighting risks in areas like API endpoints and document processing. While providing comprehensive collaboration tools, security researchers have identified potential weaknesses in authentication mechanisms and file handling. Organizations implementing ONLYOFFICE should prioritize regular updates and security hardening to mitigate these risks, as the platform's broad functionality increases its attack surface.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-68936 | ONLYOFFICE Docs 跨站脚本漏洞 — Document ServerCWE-79 | 6.4 | Medium | 2025-12-25 |
| CVE-2025-68935 | ONLYOFFICE Docs 跨站脚本漏洞 — Document ServerCWE-79 | 6.4 | Medium | 2025-12-25 |
| CVE-2025-68917 | ONLYOFFICE Docs 跨站脚本漏洞 — Document ServerCWE-79 | 6.4 | Medium | 2025-12-24 |
| CVE-2025-6380 | ONLYOFFICE Docs 1.1.0 - 2.2.0 - Missing Authorization to Unauthenticated Privilege Escalation via callback Function — ONLYOFFICE DocsCWE-862 | 9.8 | Critical | 2025-07-24 |
| CVE-2025-5301 | Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer) — Docs (DocumentServer)CWE-79 | 6.1AI | MediumAI | 2025-06-12 |
| CVE-2024-11750 | ONLYOFFICE DocSpace <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting — ONLYOFFICE DocSpaceCWE-79 | 6.4 | Medium | 2024-12-12 |
| CVE-2024-11450 | ONLYOFFICE Docs <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting — ONLYOFFICE DocsCWE-79 | 6.4 | Medium | 2024-12-06 |
| CVE-2022-47412 | ONLYOFFICE Workspace Search Stored XSS — WorkspaceCWE-79 | 5.4 | - | 2023-02-07 |
This page lists every published CVE security advisory associated with OnlyOffice. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.