Remote Code Execution in Collabora Online Built-in CODE Server Vulnerability
CVE-2025-66208

7.2HIGH

Key Information:

Vendor: Collaboraonline
Status: Online
Vendor: CVE Published:; 3 December 2025

🔔 Create Collaboraonline Vulnerability Alert

What is CVE-2025-66208?

The Collabora Online - Built-in CODE Server has a vulnerability due to Configuration-Dependent Remote Code Execution (RCE) enabled by an OS Command Injection flaw within the richdocumentscode proxy. This issue allows potential attackers to exploit the proxy.php interface used in conjunction with an intermediate reverse proxy, affecting users of Nextcloud who utilize the Collabora Online integration. The vulnerability has been patched in version 25.04.702.

Affected Version(s)

online < 25.04.702

References

https://github.com/CollaboraOnline/online/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 3, 2025
Vulnerability Reserved
Nov 24, 2025

JSON