CVE-2025-1080

HIGH EPSS 20.8%
Published Mar 4, 20251y ago · Modified Jun 17, 20261w ago
7.2 CVSS 4.0
High
Find Similar
Published Mar 4, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.

CVSS Details

Base Score
7.2
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity High
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
20.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 3

VendorProductVersionRange
libreofficelibreoffice*≥24.8.0.0  –  <24.8.5.1
libreofficelibreoffice*≥25.2.0.0  –  <25.2.1.1
debiandebian_linux11.0any

References 2

  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/06/msg00002.html
    Mailing ListThird Party Advisory
  • libreoffice.org https://www.libreoffice.org/about-us/security/advisories/cve-2025-1080
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.