CVE-2023-46988
published 2025-04-01CVE-2023-46988: Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter…
PriorityP335medium6.7CVSS 3.1
AVLACHPRNUINSUCHIHAN
EPSS
0.46%
36.7th percentile
Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint, leading to unauthorized access to sensitive files and potential Denial of Service (DoS).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| onlyoffice | document_server | >= 7.4.0 < 8.0.1 | 8.0.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-68935 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2025-68935 [MEDIUM] CVE-2025-68935 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68935 :
ONLYOFFICE DocumentServer vulnerability analysis and mitigation
ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.
Source : NVD
## 6.1
Score
Published December 25, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
ONLYOFFICE DocumentServer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:onlyoffice:document_server
Sources
Windows Severity MEDIUM Has Fix Added at: Dec 28, 2025
Windows Severity MEDIUM Has Fix Added at: Jan 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVE
Wiz
CVE-2025-68917 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2025-68917 [MEDIUM] CVE-2025-68917 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68917 :
ONLYOFFICE DocumentServer vulnerability analysis and mitigation
ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer.
Source : NVD
## 6.4
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
ONLYOFFICE DocumentServer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:onlyoffice:document_server
Sources
NVD
Windows Severity MEDIUM Has Fix Added at: Dec 26, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-68936 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2025-68936 [MEDIUM] CVE-2025-68936 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68936 :
ONLYOFFICE DocumentServer vulnerability analysis and mitigation
ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.
Source : NVD
## 6.1
Score
Published December 25, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
ONLYOFFICE DocumentServer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:onlyoffice:document_server
Sources
Windows Severity MEDIUM Has Fix Added at: Dec 28, 2025
Windows Severity MEDIUM Has Fix Added at: Jan 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus o
2025-04-01
Published