Nextcloud PDF Viewer XSS via Crafted PDF (pre-22.2.10.33/23.0.12.29/24.0.12.28)
CVE-2025-59788 Published on December 4, 2025
Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.
Weakness Type
Exposed Dangerous Method or Function
The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Products Associated with CVE-2025-59788
Want to know whenever a new CVE is published for Nextcloud? stack.watch will email you.
Affected Versions
Nextcloud:- Before 22.2.10.33 is affected.
- Version 23 and below 23.0.12.29 is affected.
- Version 24 and below 24.0.12.28 is affected.
- Version 25 and below 25.0.13.23 is affected.
- Version 26 and below 26.0.13.20 is affected.
- Version 27 and below 27.1.11.20 is affected.
- Version 28 and below 28.0.14.11 is affected.
- Version 29 and below 29.0.16.8 is affected.
- Version 30 and below 30.0.17 is affected.
- Version 31 and below 31.0.10 is affected.
- Version 32 and below 32.0.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.