CVE-2025-47792

CWE-284Improper Access ControlCWE-862Missing Authorization4 documents4 sources
Severity
6.1MEDIUM
EPSS
0.0%
top 91.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Desktop
Timeline
PublishedMay 16

Description

Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior to 3.15, 3rdparty applications already installed on a user machine can create link shares for almost all data via the socket API. These shares can then be easily sent off to an external service. Nextcloud Desktop fixes the issue in version 3.15. No known workarounds are available.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:NExploitability: 0.8 | Impact: 4.2

Affected Packages3 packages

NVDnextcloud/desktop< 3.15.0
Debiannextcloud-desktop< 3.15.0-1+1

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
CVE-2025-47792: Nextcloud Desktop is the desktop sync client for Nextcloud2025-05-16
CVEList
Nextcloud Desktop 3rdparty applications can create share links via socket API2025-05-16

📋Vendor Advisories

1
Debian
CVE-2025-47792: nextcloud-desktop - Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextc...2025
CVE-2025-47792 (MEDIUM CVSS 6.1) | Nextcloud Desktop is the desktop sy | cvebase.io