CVE-2024-12426 MEDIUM

CVE-2024-12426: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables

Vendor The Document Foundation
Product LibreOffice
Weakness CWE-200 · Info exposure
Published January 7, 2025
Last update November 3, 2025

CVSS base score

6.7/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links. This issue affects LibreOffice: from 24.8 before < 24.8.4.

Key dates

02Disclosure timeline

January 7, 2025 CVE published
November 3, 2025 Record updated