CVE-2025-66208

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Collabora Online - Built-in CODE Server versions prior to 25.04.702

Description Collabora Online - Built-in CODE Server, which provides document editing features, contains a configuration-dependent Remote Code Execution (RCE) issue in the richdocumentscode proxy. Nextcloud users utilizing the Collabora Online - Built-in CODE Server app may be at risk through the proxy.php file and an intermediate reverse proxy. The issue allows for OS Command Injection.

Recommendations Update to version 25.04.702 or later.

Exploit

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2025-66208

GHSA-J3Q6-Q5PC-V5WF

Affected Products

Code-Server

Collabora Online

Nextcloud

CVE-2025-66208

Weakness Enumeration

Related Identifiers

Affected Products

References · 9