Filtered by vendor Nextcloud
Subscriptions
Total
347 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66550 | 1 Nextcloud | 1 Calendar | 2025-12-05 | 5.7 Medium |
| Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4. | ||||
| CVE-2025-66552 | 1 Nextcloud | 4 Nextcloud, Nextcloud Enterprise Server, Nextcloud Server and 1 more | 2025-12-05 | 4.3 Medium |
| Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1. | ||||
| CVE-2025-66557 | 1 Nextcloud | 1 Deck | 2025-12-05 | 5.4 Medium |
| Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2. | ||||
| CVE-2025-66511 | 1 Nextcloud | 1 Calendar | 2025-12-05 | 4.8 Medium |
| Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3. | ||||
| CVE-2025-66513 | 1 Nextcloud | 1 Tables | 2025-12-05 | 4.3 Medium |
| Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1. | ||||
| CVE-2025-66553 | 1 Nextcloud | 1 Tables | 2025-12-05 | 4.3 Medium |
| Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4. | ||||
| CVE-2025-66512 | 1 Nextcloud | 4 Nextcloud, Nextcloud Enterprise Server, Nextcloud Server and 1 more | 2025-12-05 | 5.4 Medium |
| Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page. | ||||
| CVE-2025-66510 | 1 Nextcloud | 4 Nextcloud, Nextcloud Enterprise Server, Nextcloud Server and 1 more | 2025-12-05 | 4.5 Medium |
| Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts. | ||||
| CVE-2025-66514 | 1 Nextcloud | 1 Mail | 2025-12-05 | 3.5 Low |
| Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code. | ||||
| CVE-2025-66551 | 1 Nextcloud | 1 Tables | 2025-12-05 | 6.3 Medium |
| Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3. | ||||
| CVE-2025-66547 | 1 Nextcloud | 4 Nextcloud, Nextcloud Enterprise Server, Nextcloud Server and 1 more | 2025-12-05 | 4.3 Medium |
| Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1. | ||||
| CVE-2025-66515 | 1 Nextcloud | 1 Approval | 2025-12-05 | 2.7 Low |
| The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0. | ||||
| CVE-2025-59788 | 1 Nextcloud | 1 Nextcloud | 2025-12-04 | 6.4 Medium |
| Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis. | ||||
| CVE-2023-28997 | 1 Nextcloud | 1 Desktop | 2025-11-03 | 6.7 Medium |
| The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. | ||||
| CVE-2022-39334 | 1 Nextcloud | 1 Desktop | 2025-11-03 | 3.9 Low |
| Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server. | ||||
| CVE-2022-39333 | 1 Nextcloud | 1 Desktop | 2025-11-03 | 4.6 Medium |
| Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. | ||||
| CVE-2022-39332 | 1 Nextcloud | 1 Desktop | 2025-11-03 | 4.6 Medium |
| Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. | ||||
| CVE-2022-39331 | 1 Nextcloud | 1 Desktop | 2025-11-03 | 4.6 Medium |
| Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. | ||||
| CVE-2025-58051 | 1 Nextcloud | 1 Tables | 2025-10-21 | 6.5 Medium |
| Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5. | ||||
| CVE-2024-37887 | 1 Nextcloud | 1 Nextcloud Server | 2025-10-02 | 3.5 Low |
| Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1. | ||||