Nextcloud Nextcloud

  1. Vendors
  2. Nextcloud

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Nextcloud product.

RSS Feeds for Nextcloud security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Nextcloud products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Nextcloud Sorted by Most Security Vulnerabilities since 2018

Nextcloud Server152 vulnerabilities

Nextcloud129 vulnerabilities

Nextcloud Desktop23 vulnerabilities

Nextcloud Talk20 vulnerabilities

Nextcloud Deck17 vulnerabilities

Nextcloud Mail13 vulnerabilities

Nextcloud Mail8 vulnerabilities

Nextcloud Server8 vulnerabilities

Nextcloud Contacts7 vulnerabilities

Nextcloud User Oidc7 vulnerabilities

Nextcloud Calendar6 vulnerabilities

Nextcloud Guests2 vulnerabilities

Nextcloud Notes2 vulnerabilities

Nextcloud Sso Saml Authentication1 vulnerability

Nextcloud Zipper1 vulnerability

Nextcloudpi1 vulnerability

Nextcloud Global Site Selector1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Nextcloud. Last year, in 2025 Nextcloud had 25 security vulnerabilities published. Right now, Nextcloud is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 25 4.33
2024 35 5.84
2023 80 6.31
2022 51 5.13
2021 63 6.21
2020 50 5.05
2019 9 6.33
2018 13 5.72

It may take a day or so for new Nextcloud vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Nextcloud Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-64011 Dec 12, 2025
Nextcloud Server 30.0.0 IDOR via /core/preview fileId Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.
Server
CVE-2025-66558 Dec 05, 2025
Nextcloud TFA WebAuthn Devices: Missing Ownership Check (1.4.2/2.4.1) Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.
Nextcloud
CVE-2025-66556 Dec 05, 2025
Nextcloud Talk Poll Draft Deletion (CVE-2025-66556) fixed in 20.1.8/21.1.2 Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.
Talk
CVE-2025-66554 Dec 05, 2025
Nextcloud Contacts App XSS via Org/Title CSS Injection <5.5.4/6.0.6/7.2.5 Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.
Contacts
CVE-2025-66549 Dec 05, 2025
Nextcloud Desktop 3.16.5: Unencrypted File Path Leak in E2E Locked Files Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.
Desktop
CVE-2025-66545 Dec 05, 2025
Nextcloud Groupfolders R/O Users Can Restore Trash Before v14.0.11 Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.
Nextcloud
CVE-2025-66515 Dec 05, 2025
Nextcloud Approval App: Auth User File Access Bypass (1.3.0/2.4.9) The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another users file into the pending approval without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.
CVE-2025-66514 Dec 05, 2025
Nextcloud Mail <5.5.3: Stored HTML Injection in Message List Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.
Mail
CVE-2025-66557 Dec 05, 2025
Nextcloud Deck Privilege Escalation via Permission Logic bug (cve-2025-66557) Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.
Deck
CVE-2025-66548 Dec 05, 2025
Nextcloud Deck file extension spoofing via RTLO (before 1.12.7/1.14.4/1.15.1) Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.
Deck
CVE-2025-66553 Dec 05, 2025
Nextcloud Tables Priv Escalation: View Meta via ID (<=0.8.6/0.9.3) Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4.
CVE-2025-66551 Dec 05, 2025
CVE-2025-66551: Nextcloud Tables Allows Create & Move Columns pre0.8.6/0.9.3 Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3.
Nextcloud
CVE-2025-66513 Dec 05, 2025
Nextcloud Tables <1.0.1 Unauthorized Share Permissions Leak Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1.
CVE-2025-66550 Dec 05, 2025
Nextcloud Calendar auto-download flaw before 4.7.17/5.2.4 Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.
CVE-2025-66546 Dec 05, 2025
Nextcloud Calendar Blind Booking ID before v4.7.19,5.5.6,6.0.1 (CVE202566546) Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.
CVE-2025-66511 Dec 05, 2025
Nextcloud Calendar <6.0.3 Hash-based Participant Token Leak Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.
CVE-2025-66552 Dec 05, 2025
Nextcloud Server Admin_Audit Logging Flaw (30.0.8, 31.0.0) Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1.
Nextcloud
CVE-2025-66547 Dec 05, 2025
CVE-2025-66547: Nextcloud Server <31.0.1 Bulk Tagging A/C Bypass Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.
Nextcloud
CVE-2025-66512 Dec 05, 2025
Nextcloud Server <31.0.12/32.0.3 CSP Bypass via Unsanitized SVG Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page.
Nextcloud
CVE-2025-66510 Dec 05, 2025
Nextcloud Server <31.0.10 / 32.0.1 Contact Search Data Leak Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.
Nextcloud
CVE-2025-59788 Dec 04, 2025
Nextcloud PDF Viewer XSS via Crafted PDF (pre-22.2.10.33/23.0.12.29/24.0.12.28) Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.
Nextcloud
CVE-2025-58051 Oct 16, 2025
File Inclusion Leak via PhpSpreadsheet in Nextcloud Tables (<=0.9.5) Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5.
CVE-2025-47791 May 16, 2025
Nextcloud Server <28.0.13, <29.0.10, <30.0.3: Unprotected share endpoint allows proxy Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3, a currently unused endpoint to verify a share recipient was not protected correctly, allowing to proxy requests to another server. The endpoint was removed in Nextcloud Server 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server 28.0.13, 29.0.10, and 30.0.3. No known workarounds are available.
Server
CVE-2025-47794 May 16, 2025
File Disclosure & Symlink Attack via Temp Files in Nextcloud 29-31 Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink attack. Nextcloud Server versions 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1 fix the issue. No known workarounds are available.
Nextcloud
CVE-2025-47790 May 16, 2025
2FA Skipped via Session Bug in Nextcloud Server <29.0.15 Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor confirmation after a successful login with the username and password when the server was configured with `remember_login_cookie_lifetime` set to `0`, once the session expired on the page to select the second factor and the page is reloaded. Nextcloud Server 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server is upgraded to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9 and 31.0.3 contain a patch. As a workaround, set the `remember_login_cookie_lifetime` in config.php to a value other than `0`, e.g. `900`. Beware that this is only a workaround for new sessions created after the configuration change. System administration can delete affected sessions.
Nextcloud
CVE-2024-52513 Nov 15, 2024
Nextcloud Server: Unauthorized Access to Password-Protected File Attachments Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
Nextcloud
CVE-2024-52514 Nov 15, 2024
Nextcloud Server Access Control Bypass Vulnerability Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommended that the Nextcloud Server is upgraded to 27.1.9, 28.0.5 or 29.0.0 and Nextcloud Enterprise Server is upgraded to 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 or 29.0.0.
Nextcloud
CVE-2024-52512 Nov 15, 2024
Nextcloud User OIDC App Open Redirect Vulnerability user_oidc app is an OpenID Connect user backend for Nextcloud. A malicious user could send a malformed login link that would redirect the user to a provided URL after successfully authenticating. It is recommended that the Nextcloud User OIDC app is upgraded to 6.1.0.
User Oidc
CVE-2024-52509 Nov 15, 2024
Nextcloud Mail Shared File Attachment Vulnerability Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2.
Nextcloud Mail
CVE-2024-52508 Nov 15, 2024
Nextcloud Mail Auto-Configuration Information Disclosure Vulnerability Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.
Nextcloud Mail
CVE-2024-52518 Nov 15, 2024
Session Hijack Enables External Storage Changes in Nextcloud 28.0.11 Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.
Nextcloud Server
Nextcloud
CVE-2024-52519 Nov 15, 2024
Nextcloud Server OAuth2 Client Secrets Recoverable (fixed 28.0.10/29.0.7) Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a recoverable way, so that an attacker that got access to a backup of the database and the Nextcloud config file, would be able to decrypt them. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.
Nextcloud Server
CVE-2024-52521 Nov 15, 2024
Nextcloud MD5 Hash Collision in Jobs, Fixed in 28.0.10/29.0.7/30.0.0 Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased the chances of a background job with arguments falsely being identified as already existing and not be queued for execution. By changing the Hash to SHA256 the probability was heavily decreased. It is recommended that the Nextcloud Server is upgraded to 28.0.10, 29.0.7 or 30.0.0.
Nextcloud Server
Nextcloud
CVE-2024-52525 Nov 15, 2024
Nextcloud Unencrypted Password in Session Memory (v<28.0.12) Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a user was stored unencrypted in the session data. The session data is encrypted before being saved in the session storage (Redis or disk), but it would allow a malicious process that gains access to the memory of the PHP process, to get access to the cleartext password of the user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.
Nextcloud Server
Nextcloud
CVE-2024-52516 Nov 15, 2024
Nextcloud Server 22.x-24.x Group Removal Shares Not Revoked Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6.
Nextcloud Server
Nextcloud
CVE-2024-52517 Nov 15, 2024
CVE-2024-52517: Nextcloud Credential Leak API (Fixed 28.0.11,29.0.8,30.0.1) Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
Nextcloud Server
Nextcloud
CVE-2024-52523 Nov 15, 2024
Nextcloud API Credential Leaks in External Storage (before 28.0.12) Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator defined external storage with fixed credentials, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2 and Nextcloud Enterprise Server is upgraded to 25.0.13.14, 26.0.13.10, 27.1.11.10, 28.0.12, 29.0.9 or 30.0.2.
Nextcloud
CVE-2024-52520 Nov 15, 2024
CVE-2024-52520: Nextcloud Server < 28.0.10 SSRF via HEAD (Open-Graph) Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.
Nextcloud
CVE-2024-52515 Nov 15, 2024
Nextcloud Server SVG Preview Path Misreference Prior 27.1.10 Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.0.6 or 29.0.1 and Nextcloud Enterprise Server is upgraded to 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6 or 29.0.1.
Nextcloud
CVE-2024-46958 Sep 16, 2024
World Writable Files in Nextcloud Desktop Client 3.13.13.13.3 on Linux In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronized files (between the server and client) may become world writable or world readable. This is fixed in 3.13.4.
Desktop
CVE-2024-37315 Jun 14, 2024
Read-Only Access Lets Restore Old Versions in Nextcloud (Files_Versions) Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3.
Nextcloud Server
Nextcloud
CVE-2024-37885 Jun 14, 2024
Nextcloud Desktop Client macOS: Code Injection via DYLD_INSERT_LIBRARIES before 3.12.0 The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.
Desktop
CVE-2024-37883 Jun 14, 2024
Nextcloud Deck: Exposed Deleted Card Data in <1.6.6 (and later branches) Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A user with access to a deck board was able to access comments and attachments of already deleted cards. It is recommended that the Nextcloud Deck app is upgraded to 1.6.6 or 1.7.5 or 1.8.7 or 1.9.6 or 1.11.3 or 1.12.1.
Deck
CVE-2024-37317 Jun 14, 2024
Nextcloud Notes 4.9.2: Shared Notes/ Folder Enables Personal Note Storage The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3.
Notes
CVE-2024-37316 Jun 14, 2024
Nextcloud Cal App CVE-2024-37316: Bad Redirect via Attachments (4.6.8/4.7.2) Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or 4.7.2.
Calendar
CVE-2024-37887 Jun 14, 2024
Nextcloud Recurrence Exception Leak in Server <27.1.10/28.0.6/29.0.1 Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1.
Nextcloud Server
CVE-2024-37886 Jun 14, 2024
Nextcloud user_oidc OIDC signing bypass pre-1.3.5/2.0.0/3.0.0/4.0.0/5.0.0 (CVE-2024-37886) user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0.
User Oidc
CVE-2024-37882 Jun 14, 2024
CVE-2024-37882 Nextcloud Server <26.0.13: Permission Escalation via Reshare Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.
Nextcloud Server
Nextcloud
CVE-2024-37884 Jun 14, 2024
Nextcloud Serv. Delete Shared File Versions (Pre-26.0.12) Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.
Nextcloud Server
Nextcloud
CVE-2024-37312 Jun 14, 2024
Nextcloud user_oidc Missing AC on ID4me (Before 3.0.0) ID4me open registration user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).
User Oidc
Nextcloud
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.