Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

The Document Foundation — Vulnerabilities & Security Advisories 34

Browse all 34 CVE security advisories affecting The Document Foundation. AI-powered Chinese analysis, POCs, and references for each vulnerability.

The Document Foundation develops LibreOffice, an open-source office suite widely used for document creation, spreadsheet management, and presentation design across enterprise and personal environments. Its core software processes complex file formats, making it a frequent target for attackers exploiting parsing logic. Historically, common vulnerability classes include remote code execution (RCE) via malformed documents, buffer overflows in legacy components, and cross-site scripting (XSS) within its web-based collaboration tools. While privilege escalation incidents are less frequent, the sheer volume of 26 recorded CVEs highlights persistent risks in handling untrusted input. The organization maintains a transparent security advisory process, addressing critical flaws through regular updates rather than concealing them. Major incidents have primarily involved malicious macro execution or crafted files triggering memory corruption, underscoring the importance of user awareness and timely patching to mitigate these well-documented technical weaknesses in the application’s document processing engine.

Top products by The Document Foundation: LibreOffice
CVE IDTitleCVSSSeverityPublished
CVE-2026-8358 Heap buffer overflow in spreadsheet tracked-changes import — LibreOfficeCWE-843--2026-06-15
CVE-2026-8357 Heap buffer overflow in Calc formula compilation — LibreOfficeCWE-787--2026-06-15
CVE-2026-8356 Stack buffer overflow in PPT presentation import — LibreOfficeCWE-787--2026-06-15
CVE-2026-6047 Heap buffer overflow in OOXML text box element import — LibreOfficeCWE-787--2026-06-15
CVE-2026-6045 Heap buffer overflow in EMF+ gradient brush import — LibreOfficeCWE-787--2026-06-15
CVE-2026-6040 Heap use-after-free in ODF number-format blank-width parsing — LibreOfficeCWE-416--2026-06-15
CVE-2026-6039 Heap buffer overflow in DXF polyline import — LibreOfficeCWE-787--2026-06-15
CVE-2026-4430 Heap Buffer Overflow in AgileEngine — LibreOfficeCWE-787 7.8AIHighAI2026-05-07
CVE-2025-14714 TCC Bypass via Inherited Permissions in Bundled Interpreter — LibreOfficeCWE-288 9.8AICriticalAI2025-12-15
CVE-2025-2866 PDF signature forgery with adbe.pkcs7.sha1 SubFilter — LibreOfficeCWE-347 6.5 -2025-04-27
CVE-2021-25635 Content Manipulation with Certificate Validation Attack — LibreOfficeCWE-295 7.5 -2025-03-21
CVE-2025-1080 Macro URL arbitrary script execution — LibreOfficeCWE-20 8.8 -2025-03-04
CVE-2025-0514 Executable hyperlink Windows path targets executed unconditionally on activation — LibreOfficeCWE-20 6.5 -2025-02-25
CVE-2024-12426 URL fetching can be used to exfiltrate arbitrary INI file values and environment variables — LibreOfficeCWE-200 6.5 -2025-01-07
CVE-2024-12425 Path traversal leading to arbitrary .ttf file write — LibreOfficeCWE-22 6.2 -2025-01-07
CVE-2024-7788 Signatures in "repair mode" should not be trusted — LibreOfficeCWE-347 7.8 High2024-09-17
CVE-2024-6472 Ability to trust not validated macro signatures removed in high security mode — LibreOfficeCWE-295 7.8 High2024-08-05
CVE-2024-5261 TLS certificate are not properly verified when utilizing LibreOfficeKit — LibreOfficeCWE-295 9.1AICriticalAI2024-06-25
CVE-2024-3044 Graphic on-click binding allows unchecked script execution — LibreOfficeCWE-356 7.1 -2024-05-14
CVE-2023-6186 Link targets allow arbitrary script execution — LibreOffice 8.3 High2023-12-11
CVE-2023-6185 Improper input validation enabling arbitrary Gstreamer pipeline injection — LibreOffice 8.3 High2023-12-11
CVE-2023-0950 Array Index UnderFlow in Calc Formula Parsing — LibreOfficeCWE-129 8.8 -2023-05-25
CVE-2023-2255 Remote documents loaded without prompt via IFrame — LibreOfficeCWE-264 5.3 -2023-05-25
CVE-2022-3140 Macro URL arbitrary script execution — LibreOfficeCWE-20 7.6 -2022-10-11
CVE-2022-26307 Weak Master Keys — LibreOfficeCWE-326 8.8 -2022-07-25
CVE-2022-26305 Execution of Untrusted Macros Due to Improper Certificate Validation — LibreOfficeCWE-295 7.5 -2022-07-25
CVE-2022-26306 Execution of Untrusted Macros Due to Improper Certificate Validation — LibreOfficeCWE-326 9.1 -2022-07-25
CVE-2021-25636 Incorrect trust validation of signature with ambiguous KeyInfo children — LibreOfficeCWE-347 7.5 -2022-02-22
CVE-2021-25634 Timestamp Manipulation with Signature Wrapping — LibreOfficeCWE-295 7.5 -2021-10-12
CVE-2021-25633 Content Manipulation with Double Certificate Attack — LibreOfficeCWE-295 7.5 -2021-10-11

This page lists every published CVE security advisory associated with The Document Foundation. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.