Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

The Document Foundation — Vulnerabilities & Security Advisories 27

Browse all 27 CVE security advisories affecting The Document Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Document Foundation develops LibreOffice, an open-source office suite widely used for document creation, spreadsheet management, and presentation design across enterprise and personal environments. Its core software processes complex file formats, making it a frequent target for attackers exploiting parsing logic. Historically, common vulnerability classes include remote code execution (RCE) via malformed documents, buffer overflows in legacy components, and cross-site scripting (XSS) within its web-based collaboration tools. While privilege escalation incidents are less frequent, the sheer volume of 26 recorded CVEs highlights persistent risks in handling untrusted input. The organization maintains a transparent security advisory process, addressing critical flaws through regular updates rather than concealing them. Major incidents have primarily involved malicious macro execution or crafted files triggering memory corruption, underscoring the importance of user awareness and timely patching to mitigate these well-documented technical weaknesses in the application’s document processing engine.

Top products by The Document Foundation: LibreOffice
CVE IDTitleCVSSSeverityPublished
CVE-2026-4430 Heap Buffer Overflow in AgileEngine — LibreOfficeCWE-787 7.8AIHighAI2026-05-07
CVE-2025-14714 TCC Bypass via Inherited Permissions in Bundled Interpreter — LibreOfficeCWE-288 9.8AICriticalAI2025-12-15
CVE-2025-2866 PDF signature forgery with adbe.pkcs7.sha1 SubFilter — LibreOfficeCWE-347 6.5 -2025-04-27
CVE-2021-25635 Content Manipulation with Certificate Validation Attack — LibreOfficeCWE-295 7.5 -2025-03-21
CVE-2025-1080 Macro URL arbitrary script execution — LibreOfficeCWE-20 8.8 -2025-03-04
CVE-2025-0514 Executable hyperlink Windows path targets executed unconditionally on activation — LibreOfficeCWE-20 6.5 -2025-02-25
CVE-2024-12426 URL fetching can be used to exfiltrate arbitrary INI file values and environment variables — LibreOfficeCWE-200 6.5 -2025-01-07
CVE-2024-12425 Path traversal leading to arbitrary .ttf file write — LibreOfficeCWE-22 6.2 -2025-01-07
CVE-2024-7788 Signatures in "repair mode" should not be trusted — LibreOfficeCWE-347 7.8 High2024-09-17
CVE-2024-6472 Ability to trust not validated macro signatures removed in high security mode — LibreOfficeCWE-295 7.8 High2024-08-05
CVE-2024-5261 TLS certificate are not properly verified when utilizing LibreOfficeKit — LibreOfficeCWE-295 9.1AICriticalAI2024-06-25
CVE-2024-3044 Graphic on-click binding allows unchecked script execution — LibreOfficeCWE-356 7.1 -2024-05-14
CVE-2023-6186 Link targets allow arbitrary script execution — LibreOffice 8.3 High2023-12-11
CVE-2023-6185 Improper input validation enabling arbitrary Gstreamer pipeline injection — LibreOffice 8.3 High2023-12-11
CVE-2023-0950 Array Index UnderFlow in Calc Formula Parsing — LibreOfficeCWE-129 8.8 -2023-05-25
CVE-2023-2255 Remote documents loaded without prompt via IFrame — LibreOfficeCWE-264 5.3 -2023-05-25
CVE-2022-3140 Macro URL arbitrary script execution — LibreOfficeCWE-20 7.6 -2022-10-11
CVE-2022-26307 Weak Master Keys — LibreOfficeCWE-326 8.8 -2022-07-25
CVE-2022-26306 Execution of Untrusted Macros Due to Improper Certificate Validation — LibreOfficeCWE-326 9.1 -2022-07-25
CVE-2022-26305 Execution of Untrusted Macros Due to Improper Certificate Validation — LibreOfficeCWE-295 7.5 -2022-07-25
CVE-2021-25636 Incorrect trust validation of signature with ambiguous KeyInfo children — LibreOfficeCWE-347 7.5 -2022-02-22
CVE-2021-25634 Timestamp Manipulation with Signature Wrapping — LibreOfficeCWE-295 7.5 -2021-10-12
CVE-2021-25633 Content Manipulation with Double Certificate Attack — LibreOfficeCWE-295 7.5 -2021-10-11
CVE-2021-25631 denylist of executable filename extensions possible to bypass under windows — LibreOfficeCWE-184 8.8 -2021-05-03
CVE-2020-12803 XForms submissions could overwrite local files — LibreOffice 6.5 -2020-06-08
CVE-2020-12802 remote graphics contained in docx format retrieved in 'stealth mode' — LibreOfficeCWE-200 5.3 -2020-06-08
CVE-2020-12801 Crash-recovered MSOffice encrypted documents defaulted to not to using encryption on next save — LibreOfficeCWE-311 8.2 -2020-05-18

This page lists every published CVE security advisory associated with The Document Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.