CVE-2025-66510

CWE-3592 documents2 sources
Severity
4.9MEDIUM
EPSS
0.0%
top 86.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Nextcloud Server
Timeline
PublishedDec 5

Description

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages2 packages

NVDnextcloud/nextcloud_server28.0.028.0.14.11+4
CVEListV5nextcloud/security-advisories< 31.0.10+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Nextcloud Server Contacts Search allowed users to retrieve contact information of other users beyond their contact list2025-12-05
CVE-2025-66510 (MEDIUM CVSS 4.9) | Nextcloud Server is a self hosted p | cvebase.io