GCVE - cpe:2.3:a:onlyoffice:server:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:onlyoffice:server:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Onlyoffice (`aa7cc050-0dc3-5b16-8f30-50874a0ca7d2`)
Product	Server (`a1b79a60-316a-55e8-9de9-e066c78d7584`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/onlyoffice/server`	purl2cpe	2026-06-01 10:18:00.390457

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2021-43449`	vulnerable	2026-06-08 05:36:43.406689	Details available ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Server-Side Request Forgery (SSRF). The document editor service can be abused to read and serve arbitrary URLs as a document. Published: 2023-01-23T00:00:00.000Z Updated: 2025-04-02T15:59:28.282Z Open on db.gcve.eu Reference links https://github.com/ONLYOFFICE/server https://www.onlyoffice.com/ https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-43448`	vulnerable	2026-06-08 05:36:43.406337	Details available ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Improper Input Validation. A lack of input validation can allow an attacker to spoof the names of users who interact with a document, if the document id is known. Published: 2023-01-23T00:00:00.000Z Updated: 2025-04-02T16:00:33.536Z Open on db.gcve.eu Reference links https://github.com/ONLYOFFICE/server https://www.onlyoffice.com/ https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-43447`	vulnerable	2026-06-08 05:36:43.405866	Details available ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication. Published: 2023-01-23T00:00:00.000Z Updated: 2025-04-02T16:02:06.611Z Open on db.gcve.eu Reference links https://github.com/ONLYOFFICE/server https://www.onlyoffice.com/ https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-43446`	vulnerable	2026-06-08 05:36:43.405404	Details available ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Cross Site Scripting (XSS). The "macros" feature of the document editor allows malicious cross site scripting payloads to be used. Published: 2023-01-23T00:00:00.000Z Updated: 2025-04-02T16:03:09.098Z Open on db.gcve.eu Reference links https://github.com/ONLYOFFICE/server https://onlyoffice.com/ https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-43445`	vulnerable	2026-06-08 05:36:43.404914	Details available ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An attacker can authenticate with the web socket service of the ONLYOFFICE document editor which is protected by JWT auth by using a default JWT signing key. Published: 2023-01-23T00:00:00.000Z Updated: 2025-04-02T16:04:58.533Z Open on db.gcve.eu Reference links https://github.com/ONLYOFFICE/server https://www.onlyoffice.com/ https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-43444`	vulnerable	2026-06-08 05:36:43.404302	db.gcve.eu details were skipped to keep the page responsive. Open on db.gcve.eu	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.