CVE-2025-66208CRITICAL 9.8EPSS p56.5%

CVE-2025-66208CVE-2025-66208

Description

Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.95% probability of exploitation · percentile 56.5% · 2026-06-18T12:00:27Z
Published2025-12-03
Last modified2025-12-08

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/CollaboraOnline/online/security/advisories/GHSA-j3q6-q5pc-v5wf

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45267
CVE
CVE-2026-45278
CVE
CVE-2026-45545
CVE
CVE-2026-45275
CVE
CVE-2026-45690
CVE
CVE-2025-62222
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.