CVE-2025-68917
published 2025-12-24CVE-2025-68917: ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer.
PriorityP432medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
0.15%
4.6th percentile
ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| onlyoffice | document_server | < 9.2.1 | 9.2.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-68935 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2025-68935 [MEDIUM] CVE-2025-68935 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68935 :
ONLYOFFICE DocumentServer vulnerability analysis and mitigation
ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.
Source : NVD
## 6.1
Score
Published December 25, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
ONLYOFFICE DocumentServer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:onlyoffice:document_server
Sources
Windows Severity MEDIUM Has Fix Added at: Dec 28, 2025
Windows Severity MEDIUM Has Fix Added at: Jan 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVE
Wiz
CVE-2025-68917 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2025-68917 [MEDIUM] CVE-2025-68917 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68917 :
ONLYOFFICE DocumentServer vulnerability analysis and mitigation
ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer.
Source : NVD
## 6.4
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
ONLYOFFICE DocumentServer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:onlyoffice:document_server
Sources
NVD
Windows Severity MEDIUM Has Fix Added at: Dec 26, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-68936 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2025-68936 [MEDIUM] CVE-2025-68936 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68936 :
ONLYOFFICE DocumentServer vulnerability analysis and mitigation
ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.
Source : NVD
## 6.1
Score
Published December 25, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
ONLYOFFICE DocumentServer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:onlyoffice:document_server
Sources
Windows Severity MEDIUM Has Fix Added at: Dec 28, 2025
Windows Severity MEDIUM Has Fix Added at: Jan 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus o
2025-12-24
Published