CVE-2026-41034
MEDIUM
NVD
CVSS Score
5
Severity
MEDIUM
Published
Apr 16, 2026
Vendor
unknown
Description
ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and ASLR bypass.