Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Libreoffice Database Security Risk: File Writing Vulnerability
OESA-2026-1488
Summary
A security update is available for Libreoffice, which includes a database component called HSQLdb. An attacker could potentially create a malicious database file that allows them to write files to any location on the victim's system. This could lead to unauthorized data access or system compromise. To protect your system, update your Libreoffice package to the latest version.
What to do
- Update hsqldb to version 2.4.0-6.oe2003sp4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | hsqldb | <= 2.4.0-6.oe2003sp4 | 2.4.0-6.oe2003sp4 |
Original title
hsqldb security update
Original description
HSQLdb is a relational database engine written in JavaTM , with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small (about 100k), fast database engine which offers both in memory and disk based tables. Embedded and server modes are available. Additionally, it includes tools such as a minimal web server, in-memory query and management tools (can be run as applets or servlets, too) and a number of demonstration examples. Downloaded code should be regarded as being of production quality. The product is currently being used as a database and persistence engine in many Open Source Software projects and even in commercial projects and products! In it&apos;s current version it is extremely stable and reliable. It is best known for its small size, ability to execute completely in memory and its speed. Yet it is a completely functional relational database management system that is completely free under the Modified BSD License. Yes, that&apos;s right, completely free of cost or restrictions!
Security Fix(es):
A flaw was found in the Libreoffice package. An attacker can craft an odb containing a "database/script" file with a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.(CVE-2023-1183)
Security Fix(es):
A flaw was found in the Libreoffice package. An attacker can craft an odb containing a "database/script" file with a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.(CVE-2023-1183)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-1183 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026