Nextcloud Nextcloud

  1. Vendors
  2. Nextcloud

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Nextcloud product.

RSS Feeds for Nextcloud security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Nextcloud products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Nextcloud Sorted by Most Security Vulnerabilities since 2018

Nextcloud Server152 vulnerabilities

Nextcloud129 vulnerabilities

Nextcloud Desktop23 vulnerabilities

Nextcloud Talk20 vulnerabilities

Nextcloud Deck17 vulnerabilities

Nextcloud Mail13 vulnerabilities

Nextcloud Mail8 vulnerabilities

Nextcloud Server8 vulnerabilities

Nextcloud Contacts7 vulnerabilities

Nextcloud User Oidc7 vulnerabilities

Nextcloud Calendar6 vulnerabilities

Nextcloud Guests2 vulnerabilities

Nextcloud Notes2 vulnerabilities

Nextcloud Sso Saml Authentication1 vulnerability

Nextcloud Zipper1 vulnerability

Nextcloudpi1 vulnerability

Nextcloud Global Site Selector1 vulnerability

By the Year

In 2026 there have been 29 vulnerabilities in Nextcloud with an average score of 5.6 out of ten. Last year, in 2025 Nextcloud had 25 security vulnerabilities published. That is, 4 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.31.




Year Vulnerabilities Average Score
2026 29 5.64
2025 25 4.33
2024 35 5.84
2023 80 6.31
2022 51 5.13
2021 63 6.21
2020 50 5.05
2019 9 6.33
2018 13 5.72

It may take a day or so for new Nextcloud vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Nextcloud Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-45810 Jun 01, 2026
Nextcloud Server 31.x-32.x: Auth Users Read All Comments Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3
CVE-2026-45722 Jun 01, 2026
SQLi via ORDER BY in Nextcloud Tables app 0.9.0-0.9.6, 1.0.0-1.0.1 Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2.
CVE-2026-45691 Jun 01, 2026
Nextcloud Server 32/33: Session Cookie Reused as Bearer Token Bypass 2FA Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
CVE-2026-45690 Jun 01, 2026
Nextcloud Server 2FA Auth Bypass v32.0.0-32.0.8, 33.0.0-33.0.2 Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16
CVE-2026-45545 Jun 01, 2026
Nextcloud Tables app SQLi 0.7.00.7.6,0.8.00.8.9,0.9.00.9.7,1.0.01.0.3 Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0.
CVE-2026-45544 Jun 01, 2026
Nextcloud Tables View Filter Disclosure (1.0.3) Nextcloud is an open source content collaboration platform. From version 0.8.0 to before version 1.0.4, the view filter criteria is exposed to users with read-only permissions in Nextcloud Tables. This issue has been patched in versions 1.0.4 and 2.0.0.
CVE-2026-45543 Jun 01, 2026
Nextcloud 4.3.05.2.6: Unauthorized File Read by Removed Collaborator Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user previously had results access. This issue has been patched in version 5.2.7.
CVE-2026-45286 Jun 01, 2026
User Enumeration via Calendar Suggest in Nextcloud <5.5.17 & <6.2.3 Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3.
CVE-2026-45284 Jun 01, 2026
Nextcloud LDAP Auth Bypass for Deleted Users (pre-8.4) Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.
CVE-2026-45285 Jun 01, 2026
Nextcloud Team External Public Link Leak v32.0.0-32.0.8 v33.0.0-33.0.2 Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account), the system automatically creates a public link for that external member. This public link is not displayed in the share section of the folder, so the folder owner has no knowledge of its existence. It is sent via email to the external member. It grants the same permissions (read, write, delete, reshare, download) as the Teams access. An attacker who receives or intercepts this link can access, modify, delete, reshare, and download all data in the shared folder without any further authentication. The folder owner cannot see or revoke the link through the normal sharing interface. This issue has been patched in versions 32.0.9 and 33.0.3.
CVE-2026-45283 Jun 01, 2026
Nextcloud Server 32.x/33.x files_lock WebDAV Ownership Flaw Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1
CVE-2026-45282 Jun 01, 2026
Nextcloud Server <32.0.9, 33.0.0<33.0.3: Token bypass attachments (CVE202645282) Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5
CVE-2026-45281 Jun 01, 2026
Nextcloud Server Calendar AuthZ Flaw in 32.x & 33.x (before 32.0.9/33.0.3) Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23
CVE-2026-45279 Jun 01, 2026
Nextcloud Server path traversal copy file via {lang} tmpl (31.013 & 32.03) Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on unix permissions) into their own Nextcloud directory via a path traversal. It is recommended that the Nextcloud Server is upgraded to 32.0.4, 31.0.14. It is recommended that the Nextcloud Enterprise Server is upgraded to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, 28.0.14.15
CVE-2026-45278 Jun 01, 2026
Open redirect via OIDC in Nextcloud 6.1.08.2.1 Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2.
CVE-2026-45277 Jun 01, 2026
Nextcloud <=2.7.1: AuthU File Disclosure in App WKF (CVE-2026-45277) Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2.
CVE-2026-45275 Jun 01, 2026
Privilege Escalation in Nextcloud Approval App (Before 2.7.2) Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, a privilege escalation vulnerability exists in the Approval app that allows a user without sharing permissions to force the system to share a file with approvers. This results in an authorization bypass and privilege escalation, allowing unauthorized distribution of restricted files. This issue has been patched in version 2.7.2.
CVE-2026-45267 Jun 01, 2026
Nextcloud v<=5.2.6: Missing perm. check allows cross-user form read Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been patched in version 5.2.6.
CVE-2026-45266 Jun 01, 2026
Nextcloud <21.1.10/22.0.11/23.0.3: low-priv user muting mic in calls Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3.
CVE-2026-45159 Jun 01, 2026
Nextcloud EE File Drop Bypass (1.15.01.18.1) Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7.
CVE-2026-45157 Jun 01, 2026
Nextcloud Share Token Abuse: Chunks Visible (32.0.032.0.9/33.0.033.0.3) Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see temporary part files during on going uploads. It is recommended that the Nextcloud Server is upgraded to 32.0.9 or 33.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9 or 33.0.3
CVE-2026-45156 Jun 01, 2026
Nextcloud OIDC ID4me Impersonation Missing Sig Verif (3.0, 5.05.1...) Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0.
CVE-2026-45155 Jun 01, 2026
Nextcloud Server <32.0.7 & <33.0.1 Circle Privilege Escalation Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1
CVE-2026-45154 Jun 01, 2026
Nextcloud <4.3.0: View-Only Guests Access Deleted Pages via Trashbin Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This issue has been patched in version 4.3.0.
CVE-2026-45153 Jun 01, 2026
Nextcloud Files Android PIN bypass via back button before 33.1.0 Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0.
CVE-2026-45264 Jun 01, 2026
Nextcloud Team Folder Rename Bypass (v17-21) Patch v17.0.15/18.1.12/19.1.16/20.1.11/21.0.4 Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4.
CVE-2026-44515 May 14, 2026
Nextcloud News <=28.3.0-beta.1 Blind SSRF via Feed URL Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL (via the web interface or the API). In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or localhost, causing the Nextcloud server to perform server-side HTTP requests to attacker-controlled destinations, but not relaying the result. This enables blind SSRF, which can be used to scan or probe internal network services that are reachable from the Nextcloud server. This vulnerability is fixed in 28.3.0-beta.1.
CVE-2026-23696 Apr 07, 2026
Windmill 1.603.2 SQLi in Folder Ownership via owner Param Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signing secret and administrative user identifiers, forge an administrative token, and then execute arbitrary code via the workflow execution endpoints.
CVE-2026-22683 Apr 07, 2026
Windmill 1.56.0-1.614.0 AuthZ Flaw: Operator Escalates to RCE via API Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0.
CVE-2025-64011 Dec 12, 2025
Nextcloud Server 30.0.0 IDOR via /core/preview fileId Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.
Server
CVE-2025-66558 Dec 05, 2025
Nextcloud TFA WebAuthn Devices: Missing Ownership Check (1.4.2/2.4.1) Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.
Nextcloud
CVE-2025-66556 Dec 05, 2025
Nextcloud Talk Poll Draft Deletion (CVE-2025-66556) fixed in 20.1.8/21.1.2 Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.
Talk
CVE-2025-66554 Dec 05, 2025
Nextcloud Contacts App XSS via Org/Title CSS Injection <5.5.4/6.0.6/7.2.5 Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.
Contacts
CVE-2025-66549 Dec 05, 2025
Nextcloud Desktop 3.16.5: Unencrypted File Path Leak in E2E Locked Files Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.
Desktop
CVE-2025-66545 Dec 05, 2025
Nextcloud Groupfolders R/O Users Can Restore Trash Before v14.0.11 Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.
Nextcloud
CVE-2025-66515 Dec 05, 2025
Nextcloud Approval App: Auth User File Access Bypass (1.3.0/2.4.9) The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another users file into the pending approval without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.
CVE-2025-66514 Dec 05, 2025
Nextcloud Mail <5.5.3: Stored HTML Injection in Message List Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.
Mail
CVE-2025-66557 Dec 05, 2025
Nextcloud Deck Privilege Escalation via Permission Logic bug (cve-2025-66557) Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.
Deck
CVE-2025-66548 Dec 05, 2025
Nextcloud Deck file extension spoofing via RTLO (before 1.12.7/1.14.4/1.15.1) Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.
Deck
CVE-2025-66553 Dec 05, 2025
Nextcloud Tables Priv Escalation: View Meta via ID (<=0.8.6/0.9.3) Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4.
CVE-2025-66551 Dec 05, 2025
CVE-2025-66551: Nextcloud Tables Allows Create & Move Columns pre0.8.6/0.9.3 Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3.
Nextcloud
CVE-2025-66513 Dec 05, 2025
Nextcloud Tables <1.0.1 Unauthorized Share Permissions Leak Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1.
CVE-2025-66550 Dec 05, 2025
Nextcloud Calendar auto-download flaw before 4.7.17/5.2.4 Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.
CVE-2025-66546 Dec 05, 2025
Nextcloud Calendar Blind Booking ID before v4.7.19,5.5.6,6.0.1 (CVE202566546) Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.
CVE-2025-66511 Dec 05, 2025
Nextcloud Calendar <6.0.3 Hash-based Participant Token Leak Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.
CVE-2025-66552 Dec 05, 2025
Nextcloud Server Admin_Audit Logging Flaw (30.0.8, 31.0.0) Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1.
Nextcloud
CVE-2025-66547 Dec 05, 2025
CVE-2025-66547: Nextcloud Server <31.0.1 Bulk Tagging A/C Bypass Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.
Nextcloud
CVE-2025-66512 Dec 05, 2025
Nextcloud Server <31.0.12/32.0.3 CSP Bypass via Unsanitized SVG Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page.
Nextcloud
CVE-2025-66510 Dec 05, 2025
Nextcloud Server <31.0.10 / 32.0.1 Contact Search Data Leak Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.
Nextcloud
CVE-2025-59788 Dec 04, 2025
Nextcloud PDF Viewer XSS via Crafted PDF (pre-22.2.10.33/23.0.12.29/24.0.12.28) Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.
Nextcloud
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.