CVE-2026-41034

Name of the Vulnerable Software and Affected Versions ONLYOFFICE DocumentServer versions prior to 9.3.0

Description An untrusted pointer dereference exists during XLS processing and conversion, specifically involving the pictFmla.cbBufInCtlStm variable and other vectors. This issue can lead to an information leak and the bypass of Address Space Layout Randomization (ASLR), a security technique used to prevent exploitation of memory corruption by randomizing the memory addresses used by system processes.

Recommendations Update to version 9.3.0.