CVE-2025-68936 Overview
CVE-2025-68936 is a stored cross-site scripting (XSS) vulnerability affecting ONLYOFFICE Docs versions prior to 9.2.1. The flaw resides in the DocumentServer component and is triggered through the Color theme name field, which fails to sanitize user-supplied input before rendering it in the browser. An attacker who can supply a malicious theme name can inject JavaScript that executes in the context of another user's session.
The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation. Exploitation requires user interaction, but no authentication is required to deliver the payload over the network.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in victim browsers, enabling session token theft, document manipulation, and unauthorized actions within ONLYOFFICE Docs deployments.
Affected Products
- ONLYOFFICE Docs (Document Server) versions prior to 9.2.1
- ONLYOFFICE DocumentServer component
- Self-hosted and containerized ONLYOFFICE Docs deployments running vulnerable builds
Discovery Timeline
- 2025-12-25 - CVE-2025-68936 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-68936
Vulnerability Analysis
The vulnerability stems from improper output encoding of the Color theme name value in the ONLYOFFICE DocumentServer web interface. When a theme name containing HTML or JavaScript characters is stored and later rendered in the document editor UI, the browser interprets the payload as executable script rather than inert text.
Because the payload executes in the origin of the ONLYOFFICE Docs application, injected code can read cookies not marked HttpOnly, issue authenticated API requests, modify document content, and pivot against other collaborators viewing the affected theme. The scope-changed CVSS vector indicates the impact reaches beyond the vulnerable component to affect other users of the platform.
The EPSS score reported is 0.178%, reflecting limited observed exploitation activity at this time.
Root Cause
The root cause is missing input sanitization and output encoding on the Color theme name attribute. User-controlled string data flows from theme configuration into the DOM without HTML entity encoding or a Content Security Policy that would block inline script execution.
Attack Vector
An attacker crafts a theme with a malicious name containing an XSS payload such as an <img> or <svg> tag with an event handler. When a victim opens a document that references the poisoned theme, the injected script executes in the victim's browser session within the ONLYOFFICE Docs origin. See the ONLYOFFICE DocumentServer CHANGELOG for the technical fix summary.
Detection Methods for CVE-2025-68936
Indicators of Compromise
- Theme configuration entries or API payloads containing HTML tags, javascript: URIs, or event handler attributes such as onerror= and onload= in the Color theme name field
- Unexpected outbound requests from ONLYOFFICE Docs users to attacker-controlled domains shortly after opening shared documents
- Anomalous session activity, including document edits or API calls initiated from user accounts without corresponding UI interaction
Detection Strategies
- Inspect application logs and database records for theme name values that contain angle brackets, quotes, or script keywords
- Deploy a Content Security Policy in report-only mode to surface inline script execution attempts originating from the DocumentServer UI
- Review reverse proxy or WAF logs for requests to theme-management endpoints containing encoded XSS payloads
Monitoring Recommendations
- Alert on modifications to theme configuration by non-administrative accounts
- Monitor browser error telemetry and CSP violation reports for the ONLYOFFICE origin
- Track authentication and document API activity for behavioral anomalies indicative of session hijacking
How to Mitigate CVE-2025-68936
Immediate Actions Required
- Upgrade ONLYOFFICE Docs (DocumentServer) to version 9.2.1 or later
- Audit existing theme configurations for suspicious names containing HTML or script fragments and remove them
- Rotate session tokens and reset credentials for accounts that may have interacted with untrusted themes
Patch Information
ONLYOFFICE addressed the issue in DocumentServer 9.2.1. Refer to the ONLYOFFICE DocumentServer CHANGELOG 9.2.1 for the vendor's release notes and fix confirmation.
Workarounds
- Restrict theme creation and modification privileges to trusted administrators until patching is complete
- Enforce a strict Content Security Policy that disallows inline scripts and unsafe-inline on the DocumentServer origin
- Place ONLYOFFICE Docs behind a web application firewall configured to block XSS payloads in theme-related endpoints
# Example CSP header to reduce XSS impact on the DocumentServer origin
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

