What the vulnerability does
01Description
ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.
CVSS base score
6.4/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Key dates
02Disclosure timeline
December 25, 2025
CVE published
December 26, 2025
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2023-3755 Creativeitem Atlas Business Directory Listing filter_listings cross site scripting
CVE-2021-24260 Livemesh Addons for Elementor < 6.8 - Contributor+ Stored XSS
CVE-2026-3355 Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch'
CVE-2022-1904 Easy Pricing Tables < 3.2.1 - Reflected Cross-Site-Scripting
CVE-2025-15248 sunhailin12315 product-review 商品评价系统 Write a Review cross site scripting
