CVE-2025-1080 HIGH

CVE-2025-1080: Macro URL arbitrary script execution

Vendor The Document Foundation
Product LibreOffice
Weakness CWE-20 · Input validation
Published March 4, 2025
Last update November 3, 2025

CVSS base score

7.2/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.

Key dates

02Disclosure timeline

March 4, 2025 CVE published
November 3, 2025 Record updated