CVE-2023-6186

Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning.

In affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user.

Published: Dec 11, 2023
Updated: May 4, 2025
CVE: CVE-2023-6186
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-281

Affected Software
References

Software	From	Fixed in
libreoffice / libreoffice	7.5.0	7.5.9
libreoffice / libreoffice	7.6.0	7.6.4
fedoraproject / fedora	38	38.x
debian / debian_linux	11.0	11.0.x
debian / debian_linux	12.0	12.0.x

https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/QB7UB6CTWQUDOE657OVVRSDYUY3IPBJG/
https://www.debian.org/security/2023/dsa-5574
https://www.libreoffice.org/about-us/security/advisories/cve-2023-6186

Vulnerability Database

289,689

CVE-2023-6186